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IT PRO PERSPECTIVES 



Otey 

"Microsoft is in a unique position in the 
industry to deliver on its cloud vision at a 
number of different levels." 


Microsoft's Evolving Vision of the Cloud 

A whole new computing paradigm 


t TechEd 2011 in Atlanta in May, Microsoft elaborated 
on its vision of the cloud, which has quickly evolved. 
Microsoft now articulates its vision of the cloud as a 
new computing paradigm. 

As 1 understand it, Microsoft is defining the cloud 
as a collection of services that can be managed as a 
unit. These services can be collections of virtual machines (VMs) 
or servers performing a common task. For instance, you might 
group together a set of five VMs into a service where three of the 
VMs are configured as web servers, one is configured as a busi¬ 
ness tier application server, and one is configured as a back-end 
database server. The entire group is defined as a service, and IT can 
manage a single entity. These services can be either on premises 
or off premises. If they are on premises, you can think of them as 
a private cloud. If they are off premises, consider them the public 
cloud. A combination of on-premises and off-premises services is 
the hybrid cloud. 

However, the cloud and cloud management don't necessar¬ 
ily mean external services such as Windows Azure. The cloud 
can also be your own internal IT resources where a management 
layer abstracts those resources into a private cloud. One of the key 
technologies that enables this paradigm is Microsoft's upcoming 
System Center Virtual Machine Manager 2012. VMM 2012 intro¬ 
duces an entirely new feature set that lets you create and manage 
clouds, building on its ability to manage Hyper-V, XenServer, and 
vSphere VMs. 

Microsoft is in a unique position in the industry to deliver 
on its cloud vision at a number of different levels. In addition 
to providing management software that facilitates the creation 
of a private cloud infrastructure, Microsoft is leveraging the 
power in its global data centers to deliver Infrastrucutre as a 
Service (laaS), Platform as a Service (PaaS), and Software as as 
Service (SaaS) offerings. Although laaS isn't Microsoft's primary 
push, it's available through the Windows Azure Hyper-V role. 
Windows Azure and SQL Azure are both PaaS offerings that 
allow you to build and run your own cloud applications on top 
of them. SaaS offerings such as Windows Small Business Server 
(SBS) 2011 Essentials, Office 365, and Windows Intune provide 
ready-to-run services that are all hosted by Microsoft. Steve 
Ballmer's “We're all in" cloud computing rhetoric at last year's 
Professional Developers Conference (PDC) seems to have rung 


true. Microsoft has made some big strides in cloud computing 
and done so very quickly. 

The real question seems to be: Are businesses all in for cloud 
computing, too? It's clear after talking to many TechEd attendees 
that, even in this pro-Microsoft crowd, so far there are far fewer 
buyers in this cloud scheme—certainly less than Microsoft would 
like you to think. However, that's in part because the cloud isn't 
just about technology. The cloud also has the potential to be career 
changing, and there's a vast difference in perspective between IT 
pros and developers. 

Developers have very little trepidation about the cloud. Many 
see it as a new opportunity. However, the IT pro perspective isn't 
nearly so optimistic. IT pros see the cloud as potentially threaten¬ 
ing jobs when administrative positions are lost to off-premises 
services. Although this scenario is a possibility, it's also true that 
just moving services off premises doesn't mean that the need to 
manage those services goes away. For instance, if an organization 
decides to move its email from an in-house Microsoft Exchange 
Server server to an off-premises hosting service, there will still be 
a need to add and delete users and mailboxes, as well as maintain 
distribution lists and internal email polices. 

The silliest trend that 1 saw at TechEd 2011 and that 1 hope 
never materializes was the use of the Xbox Kinect for IT. We all 
saw Minority Report and Tom Cruise with the cool virtual monitor, 
but who really wants to have to connect their Xbox to a business 
system and wave their hands at it? Not me. The cloud seems like 
it could be the real future of computing, but the Kinect just seems 
like a desperate attempt to try to be cool. Hand waving is never 
good for demos, and 1 don't think it's going to replace the mouse 
anytime soon. 

As an introduction to a reviewer's workshop at TechEd, Dave 
Campbell, Microsoft technical fellow, noted that he thinks the 
cloud presents a new paradigm in computing and that we're 
about 3 years into a 10-year cycle. Microsoft's cloud offerings 
have evolved very quickly and are now at the point where many 
businesses might want to seriously consider one or more cloud 
options. 

InstantDoc ID 136246 

MICHAEL OTEY (nnotey@windowsitpro.com) is senior technical director 
for Windows IT Pro and SQL Server Magazine and author of Microsoft SQL 
Server 2008 New Features (Osborne/McGraw-Hill). 
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BUSINESS TECHNOLOGY PERSPECTIVES 


James 

"A number offerees are disrupting the Bl market, 
with new players providing Software as a Service 
(SaaS) Bl solutions that take advantage of the cloud 
and mobile devices to give a wider assortment of 
customers access to the benefits of Bl." 



Business Intelligence for IT 

Self-service business intelligence -i- the cloud -i- mobile devices = the next big thing? 


T echnology press, pundits, analysts, and bloggers have 
been churning out billions of bytes of copy extolling the 
virtues of virtualization and cloud computing for years. 
Both technologies have revolutionized IT, yet both have 
also been surrounded by massive amounts of hype and 
marketing speak. Tm not arguing that virtualization and 
the cloud don't deserve most of their accolades, but the unrelenting 
hype-machine fog-generator for these two technologies uninten¬ 
tionally obscures some other promising technologies. They're like 
two A-list celebrities that suck all the attention and oxygen out of a 
room, often at the expense of other promising new talent. I'd argue 
that one of the promising new IT technologies not getting its due is 
business intelligence (Bl), which has been growing in both market 
penetration and capability over the past few years. 

Bl isn't new; it has actually been around for years (see "What's 
Next for the Bl Market," www.windowsitpro.com, InstantDoc ID 
97628, for a historical perspective), dominated by massive vendors 
like IBM, Oracle, SAP, and Microsoft who have managed to gobble 
up smaller Bl vendors like Business Objects (acquired by SAP in 
2007), Cognos (acquired by IBM in 2008), and Hyperion Solutions 
(acquired by Oracle in 2007). MicroStrategy, SAS, and Information 
Builders are other prominent standalone Bl vendors. 

Traditionally, Bl has required IT departments to work with one 
of the aforementioned mega-vendors to install a Bl platform that 
integrates with an existing infrastructure, then gets access to rel¬ 
evant data sources that provide meaningful business information. 
For example, a retailer with massive amounts of customer, inven¬ 
tory, and sales data can use a Bl solution to generate reports and 
information to help business leaders make meaningful business 
decisions. Bl was a vital, useful tool for those that could afford it, 
but small-to-midsized businesses (SMBs) often went without. 

Now a number of forces are disrupting the Bl market, with new 
players providing Software as a Service (SaaS) Bl solutions that 
take advantage of the cloud and mobile devices to give a wider 
assortment of customers access to the benefits of Bl. Traditional Bl 
deployments can often have imposing installation and maintenance 
costs, and the in-house IT department might not have the skills and 
resources needed to effectively implement an on-premises Bl solu¬ 
tion. I've blogged a bit about how quickly SaaS Bl is growing (www 
.windowsitpro.com/go/SaaSBIMarket), but the continuing inroads 
being made by mobile devices (particularly the iPad) are flooring 
the accelerator for that trend. It seems that low-cost, cloud-powered, 
self-service Bl solutions—with information delivered directly to 


stakeholders via a mobile device—are a powerful development in 
the once stodgy Bl space, and these solutions promise to deliver 
real business value into the hands of customers. 

Patrick Oates, CEO of Wine Management Systems (WMS), 
is leading a company that's a perfect example of how the cloud, 
self-service Bl, and an increasing trend toward applying Bl to 
very vertical markets can pay dividends. I interviewed Oates a few 
months ago (www.windowsitpro.com/go/iPadEnterprise), and 
his comments sum up what I believe is the "killer app" potential 
of mixing the cloud, Bl, and mobile devices: "'The wine industry 
historically has not been very technology minded,' says Oates. 'We 
traditionally have had to do a lot of explaining about how technol¬ 
ogy can impact the wine business. We're essentially delivering a 
SaaS product, and the iPad has been a great tool for us—we're 
the only [winery Bl] service that can be used with an iPad.' Oates 
praises the iPad for its wireless connectivity, 'instant-on' operation 
and for giving customers a mobile device that can easily be used 
on the go. Non-technical users can intuitively access WMS services 
using a web browser and the iPad touch screen, without having to 
lug around a heavier laptop." 

A flood of vendors have entered the SaaS Bl market in 
recent years, including Actuate, Birst, GoodData, Host Analytics, 
QlikView, Oco, Panorama, and PivotLink, while larger Bl players 
like IBM, Oracle, Microsoft, and MicroStrategy are introducing 
products to take advantage of the move toward self-service Bl. And 
all of them are racing to get a larger presence on smartphones and 
connected tablets. 

Like virtualization and the cloud, this new wave of Bl solutions 
is surrounded by some myths and overstatements. Eor example, 
SaaS self-service Bl isn't a fit for all situations, and it absolutely 
won't remove the need for smart IT professionals to help business 
stakeholders get the most out of the solutions they deploy. 

However, the trend toward giving business owners powerful new 
ways to collect, view, analyze, and act upon their own business data 
is a welcome one. All of these developments are helping drive down 
the once prohibitive cost of Bl solutions and broadening use of tech¬ 
nologies that can make all businesses and organizations more agile, 
efficient, and responsive. 

InstantDoc ID 136292 

JEFF JAMES (jeff.james@penton.com) is industry news analyst for 
Windows IT Pro. He was previously editor in chief of Microsoft TechNet 
magazine, was an editorial director at the LEGO Company, and has more 
than 15 years of experience as a technology writer and journalist. 
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Thurrott 

"But this isn't just a box: It's what Google calls 'hardware 
and software packaged together as a service'; what this 
gets you is a Chromebook but also a central 
(web-based) management console." 



Microsoft's Flexible Workspace Initiative, Google Chrome, 
Chromebox, and Ice Cream Sandwich 


A S we head into the middle of 2011, Microsoft is mov¬ 
ing quickly with plans to flesh out its on-premises 
server solutions while quickly revving the cloud-hased 
alternatives that may one day he the company's core 
products. Microsoft's competitors aren't sitting still 
either: Google announced key initiatives at its Google 
I/O Conference this year. 

TechEd2011 

While Microsoft hosts and participates in various important IT- 
related conferences of its own throughout the year, none is as 
important as TechEd, held this year in Atlanta. As always, there 
were various product announcements at the show, and some are 
certainly worth mentioning. But I'd like to highlight the start of a 
new Microsoft initiative that will be familiar to any of you that are 
aware of, and potentially taking advantage of, a previous strategy 
from the company called the optimized desktop. 

For the uninitiated, the optimized desktop is essentially a for¬ 
malization, or integration, of various Microsoft software solutions 
with the goal of creating the ultimate desktop PC, regardless of 
the needs of your users. It's all based around Windows 7 Enter¬ 
prise, because that version of the OS includes features—such as 
DirectAccess and BranchCache compatibility, federated search, 
BitLocker and BitLocker To Go, and AppLocker—that aren't avail¬ 
able in the lower-tier versions. Throw in a ton of desktop manage¬ 
ment and deployment tools, like those in the Microsoft Desktop 
Optimization Pack (MDOP), and a modern version of Internet 
Explorer, and you've got a party. 

The optimized desktop makes sense, but it's been kicking around 
for four years now, and as Microsoft sources told me at the show, the 
world is changing. Microsoft felt it needed to address the emerging 
needs of a highly mobile and diverse workforce in which employees 
often work at home, on the road, or on the go. 

Microsoft's new initiative, called flexible workspace, seeks to 
meet this need and the more general notion of the consumeriza- 
tion of IT. The scenarios addressed by the flexible desktop are solid 
and reflect real-world needs. These include: 

Anywhere connectivity. Thanks to DirectAccess, users can 
have seamless connectivity to their work-based resources without 
the complexity or unreliability of a VPN. 

Phone, Microsoft's new smart phone platform, Windows 
Phone, includes a complete SharePoint client with offline access 
and mobile versions of various Office applications, giving users 


nearly the same access to their work-related content on the phone 
as they get from a PC. 

Multiple devices. Users are turning to mobile devices, includ¬ 
ing non-Windows devices such as iPads and Android handsets. 
Depending on the device type, there are various ways in which they 
can access work resources on the go. These include VDl experi¬ 
ences, such as those offered by Citrix, which provide a remote ver¬ 
sion of the user's full desktop. Those with Windows devices have 
more options, thanks to solutions like Application Virtualization 
(App-V), folder redirection, roaming user profiles, and the like. 

Centralized device management. The next version of Micro¬ 
soft's management server. System Center Configuration Manager 
2012, will include support for managing both Windows- and non- 
Windows devices, the latter through the devices' Exchange Active- 
Sync (EAS) compatibility (common to iPhone, iPad, Android, and 
many others). This is an exciting capability that should enable 
users to use the devices they prefer but in a more secure and con¬ 
trollable way of which IT will approve. 

Unlike the optimized desktop, 1 think,the flexible workspace 
is easier to understand up front. But like its predecessor, flexible 
workspace requires some pretty serious on-premise infrastruc¬ 
ture. Yes, it's infrastructure that Microsoft's corporate customers 
are likely to have on hand, and that's just fine. But 1 think this 
concept really takes off when a coming generation of cloud-based 
products and services opens up the workspace to businesses of 
all sizes. That will come: It's hard not to imagine a future version 
of Windows Intune that brings these capabilities to the cloud, 
perhaps even in a decentralized way that would appeal to much 
smaller companies. 

More from TechEd 2011 next month. 

Google Chrome OS, Chromebook, and Chromebox 

At its annual developer confab, Google I/O, the software giant 
unveiled several initiatives that will directly affect consumers 
and business users, as well as Microsoft. That's because Google's 
increasingly aggressive strategy is putting it in direct competition 
with the software giant in virtually all of its key markets. A case in 
point: Google Chrome, the web browser, has morphed into a gen¬ 
eral-purpose OS for PCs, notebooks, and other devices. It will be 
generally available by the time you read this, or shortly thereafter. 

Chrome, of course, has been a shining success story for 
Google. Since releasing the first version of the browser in late 2008, 
Google has maintained the product's number one differentiator 
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(performance) while enhancing it in dra¬ 
matic ways. Usage, too, has skyrocketed: 
One year ago, Google claimed that Chrome 
had over 70 million active users. Today, it's 
over 160 million. 

Google also pushes Chrome ahead very 
quickly, a fact that clearly inspired Micro¬ 
soft's Internet Explorer team to speed up 
development. But Chrome development 
is off-the-rails fast: Google delivers a new 
version of Chrome every six weeks, so while 
it was only at version 4 a year ago, it's at 
version 12 today. 

With its web-centric worldview, it's not 
surprising, perhaps, that Google has used 
Chrome as the basis for its web-based, 
general-purpose OS, Chrome OS, that will 
ship with new hardware starting in June 
2011. (Well, it's somewhat surprising, since 
Google's Android OS is quickly expand¬ 
ing beyond the smart phone and can now 
be used in general-purpose tablet-type 
computing devices as well. More on this 
below.) 

Since its limited beta release in late 
2010, Chrome OS has improved in interest¬ 
ing and useful ways. Designed to be used 
online. Chrome OS originally had some 
connectivity limitations in that it couldn't 
be used to do much if the computer wasn't 
online. So now Google has added offline 
capabilities to key services—like Gmail, 
Google Calendar, and Google Docs, its 
Microsoft Office alternative. And third par¬ 
ties that make Chrome "apps"—specially 
made web apps—can do so as well. (And 
many do, especially games.) 

Related to these offline features is a 
set of new panels and UIs that help users 
do more with the machine. In the beta 
version of Chrome, there was no formal 
file browser, for example, or obvious way 
to move photos from a camera, interact 
with MP3 music files, or play locally stored 
movies. These issues have all been solved, 
and, in a uniquely "Googley" way, they've 
been implemented with a decided online 
bent. You can now download pictures from 
a camera, for example, and upload them to 
Google's Picasa service or any third party 
that adopts Chrome's extensibility APIs. 
Ditto for documents and other file types. 

If you can accept the fact that a simple, 
often-connected Chrome OS-based device 
makes sense when compared to an expen¬ 
sive, complex, but far more full-featured 


traditional PC running Windows, you may 
also be interested to know that a variety 
of PC makers are selling Chrome OS- 
based notebooks (called Chromebooks) 
and Chrome OS-based "Chromeboxes" as 
well. These machines are low price ($349 
and up at retail), with a standard set of 
functionality including 8-second boot time 
from a dead stop, instant resume, and killer 
battery life (6.5 to 8 hours on the first-gen 
machines). 

Even more intriguingly, they'll be made 
available for per-user subscription pricing 
to businesses, government, and educa¬ 
tional institutions for what appears to 
be reasonable terms: $20 per month per 
user for educational and governmental 
institutions, and $28 per month per user 
for businesses. But this isn't just a box: It's 
what Google calls "hardware and software 
packaged together as a service"; so what 
this gets you is a Chromebook but also a 
central (web-based) management console 
from which you can manage devices, users, 
apps, and Group Policy. Eor a modern 
workforce working on the web, this could 
be a viable option. While I imagine most 
traditional IT shops are shuddering at the 
relatively primitive nature of this solution, 
there's potential for cost savings. And let's 
face it: This will improve quickly and dra¬ 
matically over time. 

Google Android in 2011 

Google's Android OS for smart phones, 
and now tablet computing devices, is an 
absolute sensation, the number one sell¬ 
ing smart phone OS in the US and around 
the world, and the mobile platform most 
analysts feel will dominate for years to 
come. Google claims that it's activating 
over 400,000 Android devices every day. 
As of this writing, there are over 100 million 
activated Android devices worldwide. 

While Android's success is easily seen 
in these numbers, one might wonder why 
Android is so successful given that Google's 
decision to leave the platform open has 
created a tech world version of the Wild 
West, with a variety of devices each running 
some random Android version, many of 
which will never be updated to more mod¬ 
ern features via OS upgrades. Tech wonks 
call this "fragmentation," and those of us 
who back more tightly-controlled systems 
like Apple's iPhone (or to a lesser degree. 


Windows Phone), point to this issue as 
perhaps the single biggest problem with 
Android. 

Google hasn't helped matters by arbi¬ 
trarily introducing further Android frag¬ 
mentation of its own with the quickie 
release of Android 3.0 in early 2011. This 
version of Android, also called Honeycomb, 
was the first to be designed specifically for 
tablet-type computing devices—those that 
compete with Apple's iPad—and at the 
time, Google said it had no plans to port 
any of Honeycomb's unique features to 
Android smart phones. 

That's finally changing, and Google 
is addressing the original fragmentation 
issue as well. It will keep Android open, 
so its partners are free to do what they 
will. But Google is starting a consortium 
of important Android hardware partners 
and wireless carriers that promise to keep 
updating their devices with new Android 
OS versions for at least 18 months after 
purchase. The goal is to help Android 
users feel like the device they purchase will 
remain supported for the duration of their 
wireless contract and not strand them on 
older Android versions, as is now com¬ 
monly the case. 

As for the Android OS itself, Google will 
roll Honeycomb and other new features 
back into the core Android OS in a future 
release, annoyingly code-named Ice Cream 
Sandwich (and most likely to be named 
Android OS 4.0), due in September or Octo¬ 
ber 2011. This Android OS will ship for both 
phones and tablets, and will include a new 
UI, better multitasking, a new launcher, 
and richer widgets, among other changes. 

Will this be enough to satisfy complaints 
and keep Android in the driver's seat in the 
mobile industry? Yes, I think so. Google is 
doing a lot of work to ensure that Android 
4-based apps look and work equally well on 
smart phones and tablets, which is quite a 
feat given the screen size and processing 
power differences. It will be interesting to 
see whether Apple announces similar plans 
for iOS (iPhone + iPad) later this year. ^ 
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WINDOWS POWER TOOLS 


Minasi 

"You'll be Doctor Boot 
in no time!" 



Build a Bootable BCD from Scratch with Bcdedit 

Manipulate the Boot Configuration Data file 


I n "Fix Unbootable Systems with Bootsect" (June 2011, 
InstantDoc ID 135806), I talked about how to fix a Windows 
7/R2 system that can't boot, and I bolstered that discussion 
with an explanation of the Windows 7/R2 boot record and 
the Bootmgr application. Once Bootmgr starts up, though, 
it needs some marching orders, and it gets those from a 
binary file called the Boot Configuration Data (BCD) file, which 
usually lives in a folder named \boot on the active partition. You 
use Bcdedit to configure the BCD file. This month. Ill show you 
how to use that tool to build a bootable BCD from scratch. 

A working BCD file typically contains at least two objects. First, 
it has a Boot Manager, which contains overall boot information 
such as which OS entry to boot by default and the amount of sec¬ 
onds to wait for the user if more than one OS entry exists. Second, 
it contains at least one OS entry. Here's how to create them. 

Start by deleting any existing BCD files and creating a new 
empty BCD file. Bcdedit quirkily requires you to first create a new 
BCD file somewhere and then "import" it—a process that copies 
whatever is in the new BCD file into the "official" BCD file in \boot 
on the active volume. You can do that by typing two commands 
into an elevated command prompt: 

bcdedit /createstore bed 
bcdedit /import bed 

These commands work whether you already have a \boot\bcd in 
place or you're working from a toasted boot volume that lacks any 
BCD file at all. Now that you've done that, the "sacrificial" BCD file 
is no longer necessary, so you can delete it. 

Next, create the Boot Manager piece of the BCD file by typing 

bcdedit /create {bootmgr} 

Note the /create option in this command instead of the /create 
store option in the earlier command. You'll use the former quite 
often in BCD work and the latter much less so. The /create option 
lets Bcdedit create several different kinds of BCD objects. Invoking 
it with the {bootmgr} identifier creates that overall Boot Manager 
section. (Note that I haven't included a description with the /d 
option, despite the fact that every example I can find on the Web 
does. It's superfluous when creating a Boot Manager object.) 

The Boot Manager doesn't need much tweaking, but it does 
need to know what volume to boot from and how many seconds 
to wait for a user to choose an OS option, as in 


bcdedit /set {bootmgr} device boot 
bcdedit /timeout 30 

Next, create the OS entry object that will tell the Boot Manager to 
boot Windows from files in the \Windows folder on one of the sys¬ 
tem's volumes. That volume is usually C, but if you're booted from 
Windows Preinstallation Environment (WinPE), double-check 
which drive has the Windows folder on it—WinPE might see it as 
D or E. (That'll be important in a minute.) 

Now, create the OS entry object: 

bcdedit /create /d "Windows 7" /application osloader 

The /create option (without an ID) and the /application osloader 
option tell Windows thatyou're creating an OS entry for a Vista-and- 
later version of Windows. (The /d option contains the label Boot 
Manager shows when offering multiple OS entries.) That returns a 
new GUID that you should plug into this next command: 

bcdedit /default {<GUID>} 

At this point, you've got a naked object that needs some values with 
the Bcdedit /set command that I introduced in earlier Bcdedit col¬ 
umns, but what to set those values to? Simple! Look at the output of 
Bcdedit on a healthy copy of Windows, and use it as a model. In my 
case, the \Windows folder is on drive D, so I entered these: 

bcdedit /set {default} device partition=d: 

bcdedit /set {default} path \windows\system32\boot\win1oad.exe 

bcdedit /set {default} osdevice partition=d: 

bcdedit /set {default} systemroot \Windows 

bcdedit /set {default} detecthal yes 

Finally, add this command, or Windows won't see the OS entry 
properly: 

bcdedit /displayorder {default} /addlast 

Give this a try with a test machine or two, and you'll be Doctor Boot 
in no time! 

InstantDocID 136066 
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Otey 

"Power Optimization in VMM 2012 can use 
Live Migration to consolidate running VMs 
onto fewer virtualization hosts, then power 
down the unneeded hosts." 


New Features in Virtual Machine Manager 2012 

Better provisioning features, power management, and other optimizations 
are coming with the next release of VMM 


t this year's Microsoft Management Summit 2011 in 
Las Vegas, Microsoft announced a massive update to 
the System Center management suite. All the mem¬ 
bers in the System Center family are slated to receive 
big updates, but Virtual Machine Manager (VMM) is 
probably the System Center product with the most 
significant updates coming. VMM 2012 is due out in the second 
half of 2011. You can download the public beta from the Microsoft 
Download Center (tinyurl.com/6hgbzvp) now. Meanwhile, here 
are 10 of VMM 2012's most important enhancements. 

O Manage multiple hypervisors —VMM 2012 will be able to 
manage all the major virtualization platforms. In VMM 2008, 
Microsoft added the ability to manage VMware's vSphere 
Server via vCenter Server. With the release of VMM 2012, Microsoft 
is adding management for Citrix XenServer. However, support for 
Microsoft Virtual Server 2005 and ESX 3.0 has been dropped. 

© Support for cloud, fabric, and services management —It's 
no surprise that VMM 2012 has moved into the cloud and 
services management space. VMM 2012 adds cloud sup¬ 
port, where cloud is defined as a collection of resources that can be 
assigned to users or groups. The cloud is composed of a fabric, 
which is the underlying IT infrastructure, and services, which are 
collections of virtual machines (VMs) that perform a given task. 

O Dynamic Optimization— Dynamic Optimization is Micro¬ 
soft's answer to VMware's Distributed Resource Scheduler. 
Dynamic Optimization provides cluster-level workload 
balancing for VMs. Like the older VMM Performance and Resource 
Optimization (PRO) feature. Dynamic Optimization lets VMM 
analyze workloads and dynamically move VMs to different hosts 
by using Live Migration, but it doesn't require Operations Manager 
2007. The PRO feature will still be available in VMM 2012. 

O Power Optimization— A feature closely related to Dynamic 
Optimization is the ability to optimize the placement of VMs 
to minimize power consumption. Power Optimization in 
VMM 2012 can use Live Migration to consolidate running VMs onto 
fewer virtualization hosts, then power down the unneeded hosts. 

O Cluster awareness —A weak point with the previous version 
of VMM is that it isn't a cluster-aware application. VMM 
2012 is cluster aware and can be installed on a Windows 


Server 2008 R2 failover cluster, giving VMM 2012 improved avail¬ 
ability and the ability to fail over to a backup node in the event of 
a server failure. 

O Bare-metal Hyper-V provisioning— Another important 
new feature in VMM 2012 is the ability to perform hare-metal 
provisioning of Hyper-V servers. This feature lets VMM cre¬ 
ate new Hyper-V hosts on hare-metal systems by using predefined 
templates. VMM 2012 is also integrated with remote management 
technologies such as iLO (HP's Integrated Lights Out) and SMASH 
(Systems Management Architecture for Server Hardware). 

O Enhanced placement rules —Intelligent Placement 
enabled the previous version of VMM to evaluate host 
capacity and suggest the most appropriate virtualization 
hosts for deployment. VMM 2012 extends this capability with over 
100 VM placement checks and also adds support for custom place¬ 
ment rules. In addition, VMM 2012 supports multiple VM deploy¬ 
ments as services. 

O Support for Server App-V— Server App-V is the server 
equivalent to the desktop version of App-V that Microsoft 
provides for application virtualization. As its name suggests. 
Server App-V is designed to virtualize server applications such as 
Microsoft SQL Server and Exchange Server. Using Microsoft's 
application sequencing technology, the server applications are 
converted into Xcopyable images that can be deployed with VMM 
2012. 

O PowerShell 2.0 —VMM provides PowerShell cmdlets for 
command-shell management, and actions in the VMM 
console can be used as a basis for generating PowerShell 
management scripts. VMM 2012 enhances this management capa¬ 
bility with full support for PowerShell 2.0. 

Upgrade support —One other nice feature in VMM 2012 is 
the ability to perform in-place upgrades from existing VMM 
2008 R2 installations. Customers will be able to upgrade 
from VMM 2008 R2 to the VMM 2012 RC, and then upgrade from 
the VMM 2012 RC to the final RTM release of VMM 2012. 

InstantDoc ID 136125 
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ENTERPRISE IDENTITY 


Deuby 

"People have gotten past the denial 
aspect, and now they're in the sheer 
horror of, 'What do we do next?!"' 

—Gil Kirkpatrick 

Identity as a Service and the Future of Active Directory 

An interview with Quest Software's Gil Kirkpatrick 



I n April, I had a chance to sit down and catch up with my 
friend and fellow Directory Services MVP Gil Kirkpatrick, 
Quest Software's chief architect for Active Directory and 
Identity Management products. He was in the United States 
for Quest's TEC (The Expert's Conference), having traveled 
from his home hase in Australia. For many years, Gil has 
been doing a lot of deep thinking about identity management and 
its changing role in the IT landscape. In the following interview, 
he brings valuable perspective to the sometimes frantic hype sur¬ 
rounding cloud computing. 

Ever since IT pros realized that cloud computing might mean 
"not in my data center," they've been quite skittish about embrac¬ 
ing this new computing model. Not surprisingly, the reality is a bit 
more nuanced than simply "my job is going away." In fact, most IT 
pro jobs aren't going away. But many 
of those jobs will be different from 
what they have entailed for the last five 
years. 

Stephen Rose, senior IT pro com¬ 
munity manager at Microsoft, has a 
terrific maxim about employability: 

Essentially, you want to be the guy— 
not that guy. You want to be the guy 
who everyone goes to for (insert active 
technology here—for example, virtu¬ 
alization, identity, PowerShell). You 
don't want to be that guy over in the 
corner cubicle who's still doing (insert 
declining technology here—for example, COBOL, tier 3 computer 
operations. Multiple Virtual Storage—MVS). 1 put identity manage¬ 
ment professionals in the former category, but that doesn't mean 
you can let your skills stagnate. 

The Interview 

Gil brings up a vital point in this interview: It's time for you, the 
AD administrator, to start thinking of yourself—in a broad sense— 
as an identity management person. In addition to the increased 
amount of identity integration occurring between AD and other 
databases (e.g., HR) within a company, cloud computing might 
force you to be involved in account management issues with the 
Software as a Service (SaaS) applications that your company's 
employees are surely using. If you aren't involved with it person¬ 
ally, someone else surely will be. 1 also like Gil's pragmatic "stuff" 
definition of identity management! 


Sean Deuby: From what you're seeing at this conference and in 
general, how is identity evolving? What's changing? 

Gil Kirkpatrick: One thing that's very clear to me is that last year, 
most of the people at this conference—and 1 would say most of 
the people 1 talk to in general—were looking at this cloud thing as, 
"Maybe it's going to be important, but we're not really sure." I'd say 
more than half of the people here know that these externally pro¬ 
vided applications and services are going to become part of their 
day-to-day life, and sooner than they expected. So, 1 think they've 
gotten past the denial aspect, and now they're in the sheer horror 
of, "What do we do next?!" That's a big change. 

The whole cloud thing has thrown a wrench into the way 
we've been approaching identity management and access control, 
and has really turned all that upside 
down. 1 said in my opening session 
that people really don't care about 
identity management. It was, "Lessons 
Learned from 10 Years of Tech"—none 
of which really had anything to do 
with technology. But one of lessons 
was, "We're not really in the AD busi¬ 
ness; we're in the identity manage¬ 
ment business," and the only people 
who care about identity management 
are the people who are in the identity 
management business. Nobody cares. 
What they care about is, "Can 1 get to 
my stuff, can 1 keep others from getting to my stuff, can 1 know who 
got to my stuff, and can 1 not type my password in so many times?" 
That's what people actually care about, and that's the problem we 
ultimately have to solve. 

We were beginning to solve that inside the firewall, so we got 
past the password thing, and we had ways to make sure that you 
could get to your stuff and others couldn't, and we could keep track 
of who got to your stuff, but they didn't work very well and weren't 
well managed inside the enterprise. Well, now we just threw the 
whole deck of cards in the air, and we have to do that all over 
again—except now we don't have control over the applications 
and resources that people need access to. So that's made a bit of a 
dog's breakfast out of the whole thing. 

Sean: Just as you think you're getting your arms around it, the 
scope changes. 
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Gil: Yeah, the scope and even the nature 
of the problem have changed. The change 
is primarily that people are beginning to 
recognize that cloud computing really is 
happening. And it's not, "Fm probably not 
going to do that in my company," which 
was the attitude for the last couple of years. 
1 think people understand that that's just 
the way things are. It's going to be in a state 
of chaos for the next several years. 

Sean: If you were an IT professional in an 
enterprise in any number of different roles, 
where are the places to be and the places 
not to be? 

Gil: If 1 were making my life as an AD 
admin, 1 would say that's probably not the 
place to be. Being a specialist in an on¬ 
premises technology without expanding 
your skill set to accommodate cloud tech¬ 
nologies and other outside technologies—1 
think that will be a non-growth industry. 
On the other hand, there's value to being 
the one remaining expert in a particu¬ 
lar technology, like COBOL programming 
($200,000 a year!). So there's something to 
be said for that: If you're the best of the best 
and everybody else leaves, you have value. 
But that's not where I'd want to be. 

1 think the clue here is that you need 
to expand your skill set to understand 
the cloud environment, know what that 
means for identities, and be able to develop 
strategies and technologies that allow your 
company to effectively take advantage of 
cloud-based applications and services. 

Sean: Do you feel that there will be a migra¬ 
tion of the AD identity store off-premises? 

Gil: To some degree, it's already happened. 
If you have employees who are signing up 
for external services—like going to Sales- 
force.com or something like that—they 
have what is effectively your AD identity 
information now in the Salesforce data¬ 
base. 

Sean: It functions as an identity provider as 
well as a service provider. 

Gil: Right. So, I'm not sure about the 
wholesale movement—just taking AD and 
dropping it somewhere in the cloud. I'm 
not sure 1 see that. 1 think the idea of 


outsourcing your identity management to 
a cloud provider makes sense for a lot of 
organizations, and there are some compa¬ 
nies that are beginning to do that. Okta is 
one, Symplified is another. 

Sean: PingConnect is another. We can't 
quite call them federation as a service— 
that's a little too narrow a description, 
because these services do more than fed¬ 
eration. They do screen scrapes and pass¬ 
word vaulting for SaaS apps that don't 
support federation, so it's best thought of 
as Identity as a Service (IDaaS). 

Gil:l can see that happening. One thing I'm 
struggling to understand is: Who ultimately 
wants to be responsible for the identity 
information that a corporation uses to 
make its authentication and authorization 
decisions? There's this notion of reputa¬ 
tion of trust that factors into that, because 
what does a company really know about its 

You need to expand 
your skill set to 
understand the 
cloud environment 
and know what that 
means for identities. 

employees? It knows whatever they filled 
out on the employment form. And how 
well vetted is that? Well, it depends on the 
company. In some cases, a company looks 
at your driver's license and that's it; other 
companies do background checks and 
everything else. 1 can imagine that there 
will be situations in which companies will 
happily accept identity information pro¬ 
vided by an outsider such as VeriSign. 

Sean: Right, this is the discussion of what is 
the quality of different identity providers— 
Facebook versus Google versus VeriSign... 
or PayPal. 

Gil: Envision this scenario. You go work 
at a new company, and you talk to the HR 
people, and they ask, "What's your Face- 
book ID?" And you provide that. And they 
say, "This is your role in the organization, 
and these are the things that you need to be 


able to do. Do you have a laptop? Put this 
certificate on it, and go to it." And that would 
serve as sufficient authentication for what¬ 
ever applications you have access to, both 
inside the firewall that the company is still 
managing and cloud-based applications 
that are more publicly oriented—things 
like Salesforce. That might be the ideal level 
for a lot of organizations, because they've 
totally divested themselves of the identity- 
management problem, other than associat¬ 
ing a body with a Facebook ID. That might 
be sufficient for a lot of people. 

Other organizations are going to have 
to manage their identities the way they do 
now. Financial, medical—places where 
licensing is important. 1 think that's further 
down the road, to tell you the truth. 1 think 
companies are going to continue to manage 
their own identity information for five to 
six years at least. But 1 can imagine smaller 
organizations saying, "I'll just subscribe to 
some cloud vendor that charges me a $1 per 
identity per year and live with it that way." 

Looking Forward 

At this time, 1 think the idea of having your 
identity store in the cloud rather than on 
premises is heretical to most companies; 
there are simply too many security ques¬ 
tions and too little history with cloud 
services for this scenario to be popular. In 
the future, 1 think that as more companies 
consider this idea, the relative quality (or, 
more specifically, the authenticity) of the 
identities and identity store will become 
crucial, and require some standard of iden¬ 
tity verification similar to what VeriSign 
and PayPal require today. 

Would you want to use an identity 
provider that doesn't require some accred¬ 
ited means of identification to create your 
account? 1 know of at least one incident in 
India in which one person applied for and 
was accepted at a job, but another person 
showed up and started working as the first 
person. Your identity store is only as good 
as its roots to the real world. What are your 
thoughts about having your identity stored 
in the cloud? ^ 
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WHAT WOULD MICROSOFT SUPPORT DO? 

"I produce a quarterly top-issue report for 
the product teams, and I wanted to share 
some common Hyper-V configuration 
problems that users are reporting." 



Common Hyper-V Configuration Problems 

Recommended resolutions from the Microsoft support team 


A s a senior program manager in the Product Quality 
and Online (PQO) group at Microsoft, 1 cover multiple 
products, but my focus is on virtualization technolo¬ 
gies—that is, Microsoft Hyper-V Server, System Center 
Virtual Machine Manager (SCVMM), Microsoft Appli¬ 
cation Virtualization (App-V), Microsoft Enterprise 
Desktop Virtualization (MED-V), and Windows Virtual PC. In my 
role, 1 work closely with the product teams on the top problems 
that are reported through Microsoft support, community forums, 
and other listening channels. 

1 produce a quarterly top-issue report for the product teams, 
and 1 wanted to share some common Hyper-V configuration 
problems that users are reporting, as well as the recommended 
resolutions. These problems would be useful to review for any¬ 
one planning a Hyper-V deployment or has Hyper-V running in 
production. 

Antivirus Exclusions Not Configured 

If antivirus software is installed on the Hyper-V server, and the 
real-time scanning component isn't configured to exclude Hyper-V 
virtual machine (VM) files, you might experience multiple prob¬ 
lems on the Hyper-V server. The most common problem is that the 
administrator opens the Hyper-V Manager console and finds that 
VMs are missing. Other symptoms are as follows: 

• VM performance problems 

• Creating or starting a VM fails with one of the following error 
messages: 

o The requested operation cannot be performed on a file 
with a user-mapped section open. (0x800704C8) 
o VMName' Microsoft Synthetic Ethernet Port (Instance 
lD{7E0DA81A-A7B4-4DFD-869E-37002C36D816}):Eailed 
to Power On with Error 'The specified network resource or 
device is no longer available.' (0x80070037). 
o The I/O operation has been aborted because of either a 
thread exit or an application request. (0x800703E3) 

To prevent these problems from occurring, configure the real-time 
scanning component within your antivirus software to exclude the 
following directories and files: 

• Default VM configuration directory (C :\ProgramData\ 
Microsoft\Windows\Hyper-V) 

• Custom VM configuration directories 
• Default virtual hard disk (VHD) drive directory (C :\Users\ 
Public\Documents\Hyper-V\Virtual Hard Disks) 


• Custom VHD drive directories 

• Snapshot directories 

• Vmms.exe (might need to be configured as process exclusions 
within the antivirus software) 

• Vmwp.exe (might need to be configured as process exclusions 
within the antivirus software) 

The recommended Hyper-V antivirus exclusions, as well as known 
problems caused by antivirus software, are documented in the 
Microsoft article "Virtual machines are missing in the Hyper-V 
Manager Console or when you create or start a virtual machine, you 
receive one of the following error codes: '0x800704C8,' '0x80070037' 
or '0x800703E3'" (support.microsoft.com/kb/961804). 

Snapshots Fail to Merge Due to Lack of Disk Space 

If snapshots fail to merge because of a lack of disk space (i.e., error 
0x80070070), don't delete the .avhd files (snapshot files). Deleting 
the .avhd files will result in data loss and cause the VM to fail to 
start. If you're unable to free sufficient disk space on the volume 
that hosts the .vhd files, perform the following steps: 

1. Export the VM to a volume on the Hyper-V server that has 
sufficient disk space. 

2. Once the export finishes successfully, go to the Hyper-V 
Manager console and delete the VM that was exported. 

3. Import the VM from the new location. If the version of 
Hyper-V is earlier than Windows Server 2008 R2, turn on the VM 
and then shut it down to trigger the merge process at the new 
storage location. 

Eor the complete list of best practices when using snapshots, please 
refer to the TechNet article "Hyper-V Virtual Machine Snapshots: 
EAQ" at technet.microsoft.com/en-us/library/dd560637(WS.10) 
.aspx. 

Integration Components in the VM Not Up to Date 

When a Hyper-V hotfix or update is installed on a server (Windows 
2008 R2, Server 2008, or Microsoft Hyper-V Server), review the 
documentation associated with the hotfix to determine whether 
the hotfix requires that you update the integration components in 
the VM. You can also review the Hyper-V update list on TechNet 
to determine whether an update includes updated integration 
components. 

• Hyper-V Update List for Windows Server 2008: technet 
.microsoft. com/en-us/library/dd430893(WS. 10) .aspx?lc= 1033 
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■ HYPER-V CONFIGURATION 


• Hyper-V Update List for Windows 
Server 2008 R2: technet.microsoft.com/ 
en-us/library/ff394763(WS.10).aspx 

For an example of a problem that can 
occur with out-of-date integration com¬ 
ponents, see the Microsoft article "The 
network connection is lost on a Hyper-V 
virtual machine" (support.microsoft.com/ 
kb/2223005), which contains a Hyper-V 
hotfix that addresses a VM network con¬ 
nectivity problem. This hotfix requires that 
you update the integration components 
for Windows XP and Windows Server 2003 
VMs. If the hotfix is installed on the Hyper- 
V server but the integration components 
aren't updated in the VM, you might con¬ 
tinue to experience the networking prob¬ 
lem that was addressed by the hotfix. 

To identify VMs that have out-of-date 
integration components, you can review 
the Microsoft-Windows-Hyper-V-lntegra- 
tion/Admin event log. If the VM has out-of- 
date integration components, the following 
event will be logged when the VM starts: 

Log Name: Microsoft-Windows-Hyper-V- 
Integration-Admin 

Source: Microsoft- Windows-Hyper-V-Inte- 

gration 

Event ID: 4010 

Level: Warning 

Description: Hyper-V Heartbeat connected 
to virtual machine 'vmname' but the ver¬ 
sion does not match the version expected by 
Hyper-V (Virtual machine ID A5C22E8D- 
5F58-4186-832F-E7C2AE0B4804). This is 
an unsupported configuration. This means 
that technical support will not be provided 
until this problem is resolved. To fix this 
problem, upgrade the integration services. 
To upgrade, connect to the virtual machine 
and select Insert Integration Services Setup 
Disk from the Action menu. 

The Event ID 4010 will be logged for 
every integration component service in 
the VM that isn't up to date, as you see in 
Figure 1. 


You can also use the Hyper-V Best Prac¬ 
tices Analyzer (BPA) or PowerShell scripts 
to determine which VMs have out-of-date 
integration components. See the Micro¬ 
soft article "Hyper-V BPA for Windows 
Server 2008 R2 is now available" (support 
.microsoft.com/kb/977238) to learn 
how to obtain the Hyper-V BPA. The 
Hyper-V team has posted a PowerShell 
script to the TechNet Script Reposi¬ 
tory at gallery.technet.microsoft.com/ 
scriptcenter/251337c5-ab97-40b3-a888- 
80b68102dld5. 

The Refresh virtual machine 
configuration Option Wasn't Used 
for Highly Available VMs 

The Hyper-V Manager console isn't cluster- 
aware, which means that configuration 
changes that are made to virtual networks 
or VMs in the Hyper-V Manager console 

The most common 
problem is that 
the administrator 
opens the Hyper-V 
Manager console 
and finds that VMs 
are missing. 

must be replicated to the other cluster 
nodes by using the Refresh virtual machine 
configuration option in the Failover Cluster 
Manager console. 

If the Refresh virtual machine configura¬ 
tion option isn't used, the VM will either fail 
to migrate or the VM settings (e.g., VLAN 
ID) that were changed will be lost when the 
VM is migrated to another Hyper-V cluster 
node. To refresh the configuration of a VM, 
follow these steps: 

1. In the Failover Cluster 
Manager console, expand Services 
and Applications, then click the VM 



Figure 2: The "Refresh virtual machine 
configuration" option 

for which you want to refresh the 
configuration. 

2. In the Actions pane, scroll down, 
click More Actions, then click Refresh 
virtual machine configuration, as Figure 2 
shows. 

In Server 2008 R2, the Refresh virtual 
machine configuration option isn't needed 
if you change VM settings using the Failover 
Cluster Manager console. To modify VM 
settings using the Failover Cluster Manager 
Console, follow these steps: 

1. In the Failover Cluster Manager 
console, expand Services and 
Applications, then click the VM that you 
want to modify. 

2. In the Actions pane, click Settings 
to change the VM settings. 

Hyper-V Gotchas 

For the complete list of common Hyper-V 
configuration problems, please refer to the 
TechNet Wiki article "Hyper-V: Gotchas" 
at social.technet.microsoft.com/wiki/con- 
tents/articles/hyper-v-gotchas.aspx. This 
list is updated quarterly as new problems 
are identified. ^ 

InstantDoc ID 136220 


JEFF PATTERSON (jeffpatt@nnicrosoft.com) is 
a senior program manager on the Product Qual¬ 
ity and Online team at Microsoft. He focuses on 
Microsoft virtualization technologies and works 
closely with the product teams on the top issues 
that are reported through Microsoft's listening 
channels. 



Figure 1: Logging event ID 4010 
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■ ossless" iSCSI? What's that? Does this mean my 
I existing iSCSI Storage Area Network (SAN) is "lossy?" 
I m Alas, it likely does mean just that. Although many IT 
technologists are new to the concept of packet loss 
in iSCSI storage area networks, the reality is that most off-the- 
shelf Ethernet hardware deployed for iSCSI can lose packets, 
resulting in slow performance or, in some cases, unacceptable 
application downtime. 

Compared with Fibre Channel (FC), which is by nature a 
lossless SAN protocol. Traditional Ethernet-based iSCSI has 
intrinsic faults that can drop packets or cause catastrophic 
data loss. Unlike FC, Ethernet is a "best effort" delivery 
medium, depending on higher-layer protocols, such as TCP, for 
error detection and recovery. 

In reality, it is not iSCSI that is lossy, but the underlying Ethernet 
transport layer. Thus the term "lossless iSCSI" is a bit of a misnomer. 
With light to moderate traffic loads Ethernet rarely loses packets, 
but as Ethernet SAN workloads ramp up—common in today's 
massively virtualized data center—Ethernet's best efforts at 
delivery are not good enough, resulting in dropped packets that 
require TCP/IP retransmissions. Worse, in an iSCSI SAN with multi¬ 
ple Ethernet switches, topology loops can cause broadcast storms 
that severely degrade iSCSI performance, to the point where 
disk transactions can't complete in a timely fashion. To avoid the 
topology loops, it's important in traditional Ethernet networks 
to deploy Spanning Tree Protocols (STP). STP resolves the issue 
with topology loops but creates inefficient network bandwidth 
utilization and adds significant delays due to reconvergence in the 
event of a topology change. The end result can be unacceptable 
application performance, or outright application failure. 

To avoid these disasters, and achieve the full potential of 
Ethernet SAN throughput, requires an understanding of iSCSI's 
underlying Ethernet transport problems and the well-under¬ 
stood technologies that can resolve them. Armed with that 
knowledge, you'll be well positioned to assess your current iSCSI 
infrastructure, evaluate lossless iSCSI products, and engineer an 
iSCSI SAN infrastructure that will make it possible to implement 
high-class benefits that are traditionally only available with its 
FC cousin. 

Ethernet: A Bridge Too Far 

Lossless Ethernet is the current convergence technology for 
SAN fabrics, with iSCSI, NAS, and FCoE the primary storage 
protocols. Although FC is a tried and true SAN transport 
technology, iSCSI SANs are attractive for their ease-of-use, 
compatibility with existing Ethernet networking infrastructure, 
and low cost. For second- and third-tier storage applications, 
such as data archiving and disk-to-disk backup, iSCSI's typical 1 
Gbps host throughput is often adequate. 

Ethernet transport is well positioned as the future medium 
for SANs, given the widespread availability of 10 Gbps Ethernet 
today and 40 Gbps/100 Gbps as the next speed increment. 
Although FC still occupies much of the market, today's FC 
products top out at 8 Gbps, while iSCSI supports host NICs of 
10 Gbps, with 40 Gbps for SAN aggregation links. FC vendors 
are poised to deliver 16 Gbps host interfaces, with 32 Gbps on 
the horizon, while iSCSI has 40 Gbps host connections on the 
horizon, and ultimately 100 Gbps for aggregation. The future 
migration path for FC in converged infrastructures is thus Fibre 
Channel-over-Ethernet (FCoE), which overlays the FC protocol 
on a new lossless Ethernet transport. 

Alas, Ethernet in its native form has serious flaws that 
only become apparent at the worst possible time: when the 
Ethernet SAN infrastructure is near saturation on one or more 
redundant paths. A typical data center Ethernet SAN infra¬ 
structure consists of multiple switches interconnected via 
redundant 1 - or 10-gigabit links, so that the failure of any one 
link doesn't partition the network. Ethernet's STP, designed to 
ensure a loop-free topology, creates a single, non-looping path 


between any two devices, which doesn't exploit link redun¬ 
dancy. Instead, links not on the loop-free path are disabled. 

This single path cannot be optimal for all devices in the net¬ 
work—some devices are forced to take "the long way around" 
to communicate, which can saturate parts of the network even 
though plenty of network capacity still exists. In such satura¬ 
tion conditions, Ethernet's broadcast-based layer-2 transport 
can drop packets, resulting in iSCSI and FCoE failures. 

A more serious problem lurks: total network meltdown due 
to runaway STP reconvergence. Switches running STP commu¬ 
nicate with each other using Bridge Protocol Data Units (BPDU) 
broadcasts. When an STP-based Ethernet topology change 
occurs, switches transmit a flood of BPDU packets that can add 
significant traffic to the network. Any network links already 
carrying moderate to high traffic rates are at risk of saturation, 
which can result in the loss of BPDU packets essential to STP 
re-converging on a stable network topology. The result is often 
a constantly shifting topology, creating radical performance 
changes in the network. 

STP failure was a major factor in one of the worst health¬ 
care IT disasters in history. In 2002, the Beth Israel Deaconess 
Medical Center in Boston, MA experienced an STP loop that 
intermittently saturated the multi-building campus network 
for hours at a time. In their attempts to eliminate that problem, 
Beth Israel's IT staff inadvertently exceeded STP's seven-bridge 
hop limit, creating a network that would never re-converge. 
Ultimately, Beth Israel was forced to close its Emergency Room 
due to the loss of critical IT database and application access. 
The incident was finally resolved several days laterl. 

Ethernet as a SAN fabric has other problems beyond packet 
loss and STP-induced outages. Flow control mechanisms across 
multiple switches—needed when a host is moving data faster 
than a network switch or an end device can process it given its 
current workload—don't permit traffic prioritization, resulting 
in scenarios where a low-priority process, such as a disk-to-disk 
backup, degrades mission-critical application performance. 

The Road to Lossless 

SAN vendors'early experience led them to explore solutions 
to the problem of lossy Ethernet's impact on iSCSI and FCoE. 
Several specific mechanisms—collectively called Data Center 
Bridging (DCB) technology—convert Ethernet into a loss-free 
transport enabling a reliable, robust Ethernet SAN fabric. 

A key DCB technology is a replacement for STP called TRILL^ 
(Transparent Interconnection of Lots of Links). TRILL, devel¬ 
oped by STP's original inventor Radia Perlman, arose directly as 
a result of the Beth Israel disaster. The new protocol, although 
not fully through the Internet Engineering Task Force (IETF) 
standards process, is solid enough to be deployed in Ethernet 
SAN environments, and several vendors are exploiting its capa¬ 
bilities in current iSCSI products. 

TRILL brings several benefits to iSCSI. First, it routes traffic 
along the shortest Layer 2 path between two nodes, a vast 
improvement over STP's non-optimal path calculations. 

Second, TRILL exploits all available paths, including redundant 
ones, to spread traffic across all available backbone capacity, 
reducing link congestion. Third, TRILL's link-state topology 
convergence algorithm operates many times faster than STP's 
distance-vector method. Finally,TRILL's maximum network 
diameter—the bridge "hop count"—is much higher than STP's 
low number (seven), enabling larger networks without risk of 
inadvertently exceeding the protocol's intrinsic hop limit. 

When combined with other DCB enhancements, such 
as Priority Based Flow Control and Enhanced Transmission 
Selection, TRILL creates a true lossless Ethernet SAN fabric that 
both iSCSI and FCoE can exploit. 

To appreciate the advantages of a DCB-based Ethernet SAN 
fabric, it helps to examine Ethernet's STP shortcomings more 
closely. Ethernet devices locate each other by sending and 



receiving broadcast messages (BPDU), which propagate to all 
ports on every switch in a LAN. To prevent loops formed by 
redundant paths (necessary for resilience), STP runs a distrib¬ 
uted computation in which all switches participate. Switches 
communicate information about their neighbors to each other 
using the previously described BPDU packets. Once all switches 
have generated a model of the network, they collectively create 
a single loop-free path (tree) for each VLAN. 

STP calculations are CPU intensive, and as noted earlier, 
can generate significant amounts of BPDU traffic. Every time 
the network topology changes—such as when a link fails, or 
when a device enters or leaves the network—the STP model 
must be recalculated. Each loop-free topology calculation 
requires that all but one redundant interface on each switch 
be disabled. The resulting loop-free path might not be the 
shortest path for all nodes in the network. 

Ironically, STP's BPDU traffic, which is multiplied through 
broadcasts, can render one or more links so congested the 
switch sees them as impassible, and thus disabled. This 
constitutes a new topology change, triggering yet another STP 
recalculation. In the worst case scenario, the network can oscil¬ 
late between multiple congested topologies until traffic levels 
drop low enough to permit a final, stable STP calculation. This 
can result in I/O timeouts that cause SAN transactions to fail, 
ultimately leading to application failure. 

In a desktop LAN environment, such STP-induced 
congestion can cause inconvenience for users and serious 
performance degradation. In an Ethernet-based SAN, STP 
congestion creates bottlenecks that can disable applications 
entirely. Figure 1 shows a typical iSCSI SAN network containing 
redundant paths needed for resilience and protection from 
single-point of failures. In the converged network, STP has 
disabled all redundant interfaces on each switch, leaving but 
one loop-free path. 

Traffic flow can't use the disabled redundant switch 
interfaces, forcing it to travel through more devices than nec¬ 
essary. This inevitably slows it down and leads to congestion 
as iSCSI transaction rates increase. Consider how this impacts 
a common iSCSI-based application. Virtualized Desktop 
Infrastructure (VDI). 

In most VDI deployments, users alternate between high-and 
low-bandwidth activities. For example, when a user logs onto 
a VDI session, a large amount of data may move between the 
user's VM and a SAN to populate the user's desktop environ¬ 
ment. Following this initial traffic surge, the user commonly 
accesses low-bandwidth applications, such as email and word 
processing. When a user later logs out, SAN traffic surges once 
again as the VM stores the user state back on the SAN. 

Because users often start and end VDI sessions at about 
similar times, such as morning, noon, and evening, SAN traffic 
sees peak levels that can overload the STP's single loop-free 
path. A path failure or topology change occurring during 
such traffic peaks could push the network into an oscillating 
re-convergence, seriously degrading VDI performance. 

Consider now a TRILL-based iSCSI Ethernet SAN (Figure 2). 
TRILL keeps redundant links active, and routes traffic using 
the shortest path for each VM. Multiple equal-cost paths 
(Layer 2 ECMP) are available for traffic between VMs and the 
SAN, so simultaneous user demands on the SAN are spread 
across the entire network infrastructure. 

Bridges to Everywhere 

Knowing how STP and TRILL differ under the covers will give 
you a greater appreciation of TRILL's data center advantages. 
Although TRILL operates at Layer 2, just like STP, it routes, 
rather than bridges, packets to get them to their destination. 
Thus a TRILL-based "switch" is actually called a Router Bridge, 
or RBridge, to reflect this packet routing orientation. Unlike 
traditional routers working on Layer 3 IP addresses, however, 
RBridges use wire-speed routing based on Media Access 
Control (MAC) addresses. 

RBridges connect to each other using link-state, rather than 
broadcast, topology management, which eliminates broad¬ 
cast storms. With STP, when a topology change occurs, the 



Figure 1 : A typical iSCSI SAN network with 
redundant paths 



Figure 2: A TRILL-based iSCSI Ethernet SAN 

affected switch sends broadcast messages to every switch in 
the VLAN. An RBridge, in contrast, communicates only with its 
neighbor RBridges, using the well-understood and time-tested 
Intermediate System to Intermediate System (ISIS) protocol. 
This avoids the broadcast storms that plague STP-based 
networks. 

TRILL was designed with a transition strategy in mind, 
recognizing that a wholesale switch away from STP would not 
be cost effective for legacy networks. RBridges can coexist with 
traditional Layer 2 Ethernet switching, permitting progressive 
migration from STP. Because ISIS is a Layer 3 protocol, it can 
transit both islands of Layer 2 STP switching as well as tradi¬ 
tional Layers IP routers, letting you construct TRILL fabrics of 
virtually any size, spanning even city- or region-wide distances 
given low-latency fiber connectivity. 

TRILL by itself is not enough to provide all the features a 
modern DCB infrastructure requires. Three other essential 
facilities round out the DCB technology suite: 

Priority-based Flow Control (PFC). PFC, defined by the 
IEEE 802.1 Qbb standard, provides a link-level flow throttling to 
protect against packet loss when a link becomes congested. 
When a device transmits packets faster than the receiving 
device on an Ethernet link can accept them, the interven¬ 
ing switch's default behavior is to buffer the packets. When 
a switch runs out of available buffer space to hold incoming 
packets, it drops additional incoming packets without notify¬ 
ing the sender. 

Traditional Ethernet has a link-level flow control mecha¬ 
nism, called the PAUSE control frame, defined by IEEE standard 
802.3X. A congested receiver can send a PAUSE request to a 
sender when its buffer is close to full, triggering the sender to 
stop sending on the link until the receiver has enough buffer 
space to accommodate them. The disadvantage of using 
Ethernet PAUSE is that it operates on the entire link, which 
likely is carrying multiple traffic flows. 

Some low-priority flows, such as a TCP file transfer, can 
handle dropped packets in the TCP protocol, but others, such 











as iSCSI will be adversely affected. PFC lets you establish multiple 
class of service (CoS) levels, with a new flow control command, 
PFC PAUSE, letting you pause individual flows without stopping 
all traffic on a link. This gives you fine-grained control over traffic 
loads across a link, preventing congestion before it causes packet 
loss due to buffer exhaustion. 

Enhanced Transmission Selection (ETS). Where PFC aims to 
prevent packet-dropping congestion, ETS is a traffic engineer¬ 
ing tool that lets you allocate bandwidth slices to pre-assigned 
traffic classes. ETS is defined in the IEEE 802.1 Qaz standard. It 
adds a Priority Group ID (PGID) field to each Ethernet frame. One 
PGID value, PGID 15, is specified as the high-priority group, which 
always receives a pre-determined bandwidth allocation. Other 
groups receive a specified percentage of the remaining band¬ 
width on the link. Once allocated, a PGID can only use bandwidth 
up to its percentage ceiling. 

Data Center Bridging Exchange (DCBX).The DCBX proto¬ 
col, defined in the IEEE 802.1 Qaz standard, lets two DCB peers 
exchange configuration information. DCBX packages 
parameters into vendor-specific Organizationally Specific 
Type-Length-Value (TLV) groups, exchanged via the Link 
Level Discovery Protocol (LLDP). DCB supports two types of 
parameters. Administered and Operational. Administered 
parameters are configuration settings, while Operational 
parameters represent the state of the administered param¬ 
eters. They can change due to exchanges with the peer and 
are only present for administered parameters that can be 
changed by the peer. DCBX lets vendors add proprietary 
features to a DCB infrastructure without causing compatibil¬ 
ity problems with devices from other vendors. 

Strategies for Migrating to Lossless 
Ethernet 

Lossless Ethernet is a boon for both iSCSI and FCoE, 
enabling SAN convergence to a single transport media 
supporting multiple independent fabrics. For legacy FC, a 
new class of network interfaces replaced the traditional FC 
Flost Bus Adapter. Called the Converged Network Adapter 
(CNA), these interfaces integrate FC protocol with 10 Gbps 
Ethernet technology, letting you migrate legacy FC to a new 
DCB-based FCoE fabric. 

Because FCoE preserves FC control constructs and man¬ 
agement interfaces, you maintain backward compatibility 
with your investment in FC SAN administrative tools and 
skill sets. Ultimately, FCoE provides a clean path to 100 Gbps 
SAN performance. 

You should aim to move lossy iSCSI to a TRILL-enabled 
infrastructure as soon as possible. It's only a matter of time 
before inevitable traffic growth leads to standard Ethernet's 
tipping point, at which time it will be too late to fix the 
problem inexpensively. 

The bestTRILL-based architectures employ peer-to-peer 
RBridge topologies, rather than a central controller topology, 
which introduces a single point of failure. RBridge devices 
can drop into an existing iSCS110 Gbps SAN, and TRILL lets 
you easily enhance SAN capacity by adding additional net¬ 
work interconnects, or, as TRILL puts it, "lots of links." 

Don't be a Loser 

iSCSI is one of the most promising technologies for 
the future data center storage network architecture. 

Traditional Ethernet infrastructures, however, won't sup¬ 
port the most demanding SAN performance and reliability 
requirements, so FC is still an essential technology for 
today. Fortunately, nascent DCB technologies—such as 
TRILL, PFC, ETS, and DCBX—solve lossy transport and STP 
issues, delivering true lossless connectivity at speeds of 
10 Gbps and beyond. FC as a protocol has a solid future as 
well, with FCoE as a path to 100 Gbps performance. New 
CNAs let you bring legacy FC SAN components along on 
the ride to lossless Ethernet. 

Lossy Ethernet, on the other hand, can put a serious 
crimp in your iSCSI style. If you're an existing iSCSI user. 


your mission is clear: move to lossless Ethernet now before an 
STP meltdown makes you the new IT disaster record holder. 

^Berinato, S., All Systems Down. CIO Magazine. April 11,2003, 
http://www.cio.com.au/article/65115/all systems down 

^lEEE Working Group "Transparent Interconnection of Lots of Links 
(trill)", https://datatracker.ietf.orq/wq/trill/charter. 
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Top 10 Reasons to Deploy Hitachi Storage and Brocade Networking for 
Lossiess iSCSi Environments 

The lossless iSCSI capability delivered by Brocade's VDX 6720 Data 
Center Switches and Converged Network Adapters (CNA), combined with 
Flitachi's Adaptable Modular Storage (AMS) 2000 midrange storage family, 
provides a complete, highly scalable, 10 Gbps lossless iSCSI SAN solution 
with fully-automated, hardware-based I/O balancing and dynamic recon¬ 
figuration. Flere are 10 reasons this dynamic duo is superior to any other 
enterprise SAN. 

1 . Higher Reiiabiiity and Avaiiabiiity: Multiple active paths within 
the Brocade Ethernet fabric let you deliver higher level of application SLA, 
by increasing overall network capacity, and by detecting and bypassing 
network failures instantaneously. Every AMS 2000 system has end to end 
redundancy with hot swappable components; microcode updates can be 
done for system maintenance with no impact to operations. 

2. Seif-Configuration and Embedded Management: Brocade VDX 
Switches automatically discover each other and create a fully functional, 
lossless Ethernet fabric with no manual configuration. Scaling out network 
topology, and scaling up bandwidth across switches, is as easy as adding 
an interswitch cable. The Ethernet fabric's embedded Layer-2 management 
intelligence automatically reconverges the network and allows automatic 
migration of VM port profiles, avoiding manual intervention from IT staff. 
Flitachi AMS'symmetric active/active storage controller design eliminates 
the need to set primary and failover paths to the controllers since either 
controller can process I/Os at equal speed. As a result, path management 
software is not necessary. 

3. Optimized Network Bandwidth: Unlike Spanning Tree Protocol 
(STP), all redundant paths in the network remain active, and are available to 
transport traffic. Shortest-path routing enhances application performance 
by eliminating congested common paths. 

4. VMware integration: Flitachi AMS'VMware API for Array Integration 
moves critical storage management functions off the ESX servers and onto 
the AMS2000 controllers for significant performance improvements. Brocade 
Network Advisor Management Plug-in for VMware vCenter enables proac¬ 
tive SAN monitoring and helps administrators to have end-to-end visibility. 

5. intrinsic Data Protection & De-dupiication: Flitachi TrueCopy 
software copies data to remote locations, and Flitachi Data Protection Suite 
(DPS), powered by Commvault, improves capacity utilization through data 
de-deplication. Flitachi Dynamic Replicator enables highly granular recov¬ 
ery capabilities to support the most stringent RPO/RTO requirements. 

6. improved Appiication Performance: With ultra-low latency of 600 
nanoseconds - 1.8 microseconds, applications get faster access to storage 
resources, ensuring that client requests are executed as quickly as possible. 
Line-rate, low-latency CNAs provide a powerful 10 Gbps lossless iSCSI 
solution at every block size showcasing their advantage for just about 
any application. Support for jumbo frames (1500/4500/900 bytes) on 
Flitachi AMS 2000 improves performance by reducing CPU workload that 

is required to create frames and by increasing throughput and allowing 
the system to concentrate on the data in the frames, instead of the frames 
around the data. 

7. High Density and High Efficiency: Flitachi's AMS 2000 supports 48 
disk expansion trays, letting you put nearly 1 PetaByte of storage in a single 
rack. With Brocade's trunking to aggregate and loadbalance data across 
links within the Brocade Ethernet fabric, you'll achieve near 100% utilization 
on available paths - unheard of in the world of traditional Ethernet. 

8. Automatic iSCSi Node Capabiiity Configuration: iSCSI TLV interac¬ 
tions between Brocade VDX switches instruct each iSCSI node to place iSCSI 
flows on any of the eight available PFC priorities, effectively separating 
storage traffic from other IP traffic, such as network management. 

9. Guaranteed Bandwidth for iSCSi: Enhanced Transmission Selection 
(ETS) allocates bandwidth to iSCSI traffic or specific iSCSI flows based on 
assigned priorities, letting you ensure mission critical applications have the 
best performance. 

10. Controiier-free Expandabie SAN Switching Architecture: Brocade 
VDX Switches are fully symmetrical, with no central controller required, 
letting you create a lossless iSCSI SAN with as few as two switches, and scale 
up to larger networks with thousands of ports in the Ethernet fabric with¬ 
out concern for central controller capacity and redundancy. The VCS fabric 
architecture has been designed with extensive capacity for growth. 
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READER TO READER ■ 


■ IT Support in a .NET Development Shop 


READER TO READER 


Lessons Learned from the Case of 
the Missing Tool 

Supporting .NET developers is a bit differ¬ 
ent than supporting users on a network. If 
you ask any support person at Microsoft, 
the person will tell you that it's a tough job 
because developers are good technicians. 
Having worked for 10 years in a develop¬ 
ment IT shop, I've experienced pretty 
much the same thing. After a while, you 
become a developer as well. But it's long 
been understood that a developer 
should be a good systems pro, 
and a systems pro should 
understand what is needed 
for developer environments. 

But, to quote Oscar Wilde, 

"I am not young enough to 
know everything,"and you 
won't find a knowledge base 
article for every problem you 
encounter. That was the case for one 
problem I needed to resolve recently. 

On one development machine, a SQL 
developer attempted to run Business 
Intelligence Development Studio (BIDS) 
to edit a SQL Server Reporting Services 
(SSRS) report. Visual Studio 2008 was also 
installed on the machine. When using the 
shortcut to BIDS, the developer received 
an error that the devenv.exe file was miss¬ 
ing. It seems that Visual Studio 2005 had 
been installed and uninstalled. By unin¬ 
stalling Visual Studio 2005, the executable 
for BIDS was uninstalled as well. 

If you encounter a similar problem, 
here's how to solve the problem. First, get 
your SQL Server install media. Make sure 
you have the correct version of SQL Server. 
If you run SQL Server Management Studio 
(SSMS) and select About on the HELP 
menu, you'll see the version number. 



Alternatively, if you're comfortable 
running a query in SSMS, you can find 
the version number by running the 
command 

SELECT 

SERVERPROPERTYC'productversi on'), 
SERVERPROPERTY ('productlevel'), 
SERVERPROPERTY ('edition') 

(Although this command wraps here, 

you'd enter it all on one line. The same 
holds true for the other command 
that wraps.) 

In my case, the developer 
was using SSMS 9.00.4035.00. 
That number translates to SQL 
Server 2005 Enterprise Edition 
SP3. (For information on how 
to translate the number, see 

"How to identify your SQL 
Server version and edition" 


Curt Spanburgh 


error, open Windows Explorer, navigate to 
the VS_SETUP.msi file, right-click it, then 
choose repair. 

At this point, open a command 
window for a command prompt screen 
and change the context to the Tools 
folder. Again, within that folder, run the 
command 

start /wait setup.exe /qb 

REINSTALL=SQL_WarehouseDevWorkbench 

REINSTALLM0DE=0MUS 

If all goes well, BIDS will be reinstalled and 
the developer is back in business. Figure 1 
shows BIDS. 

The lessons learned here are twofold. 
First, if you can have multiple versions 
of Visual Studio and other applications 
such as SQL Server installed on devel¬ 
opment machines, there's always the 
chance of running into the unexpected. 


at support 
.microsoft.com/ 
kb/321185.) So, I 
used the media that 
matched this ver¬ 
sion. For a develop¬ 
ment shop, it's really 
handy to have all 
software programs 
available on the net¬ 
work as mountable 
.iso files or folders. 

Next, you need 
to open theToolsX 
Setup folder on 
the media. You should see a file named 
VS_SETUP.msi. Run it. In my case, running 
this Windows Installation file returned 
an error that the Visual Studio shell was 
already running. If you encounter that 
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Second, if you're the support person 
for a .NET developer environment, your 
overall experience will, in all likelihood, 
lead you to solve problems faster than 
the developers, despite the fact that you 
might not be an experienced .NET devel¬ 
oper or SQL Server database administra- 
tor (DBA). 

—Curt Spanburgh, Microsoft Dynamics CRM MVP 
and owner of One Solution Group 
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■ ASK THE EXPERTS 


■ Hyper-V ■ VMware ESX 

■ Remote Desktop Services ■ Outlook 

■ System Center Virtual Machine Manager 


ANSWERS TO YOUR QUESTIONS 



Q: Can I assign alternative text to 
appear when a graphic embedded 
in an Outlook email message can't 
be displayed? 

Al Ever since HTML functionality was 
added to Microsoft Outlook in Outlook 98, 
people have been embedding graphics 
and media in email messages—sometimes 
without considering the tools recipients 
might be using to view those messages. 

For many of the graphics that you can 
embed in an Outlook email message, you 
can assign alternative text to display when 
the image can't be rendered (whether by 
technological limitations or by choice of 
the recipient). Most embedded graphics 
allow alternative text to be displayed in 
place of the graphic, including pictures, 
shapes, charts, Visio diagrams, SmartArt, 
and more. This alternative text appears 
when the recipient's client can't render the 
image. The alternative text also appears 
when you mouse over the image in most 
email clients that download and display 
the content. 

To assign alternative text to an embed¬ 
ded Outlook email graphic when creating 
a message, right-click the item and select 
the Format or Properties menu item. For 
an embedded image, right-click the image 


and select Format Picture. (In the case 
of a Microsoft Excel table, the right-click 
menu option to add alternative text is 
Table Properties.) An annoyance with this 
window is the lack of an OK, Save, or Apply 
button. Flowever, your changes are saved 
when you click Close. The alternative text 
is applied within an FITML message as part 
of the IMG tag. If you select View Source 
on the HTML message from the recipient's 
client, the IMG tag shows the alternative 
text in this format: 

<img width=155 height=225 id="Picture_ 
x0020_l" src="frniReadMail_ 

Attachment.aspxTfolder=INBOX&ui 
d=545067&partid=4&fi1ename=i mag 
e003.j pg&user=wi11iam&mapped=T rue" 
alt="Title: Tasker Oddie 
- Description: c:\Users\william\ 
downloads\web.jpg&#13;&#10;Former 
Governor of Nevada"> 

The alternative text is displayed instead of 
the picture.This is beneficial for recipi¬ 
ents who might want some insight as to 
the content of the graphic. It's also very 
valuable to disabled users who require 
the use of a screen reader. The alternative 
text advises the user of a graphic's content 
when the user is unable to view the 
graphic. Alternative text can also be useful 
for rules or other filtering. 

Anytime you apply graphics to email 
messages, you should be aware that 
options exist to make graphics more 
valuable to recipients. The alternative text 
property is a useful tool in this regard. 

—William Lefkovics 
InstantDocID 135863 
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Q: Is it supported to boot 
a Windows Server 2008 R2 
Server running Hyper-V from a 
virtual hard disk (VHD)? 

A: Server 2008 R2 adds the ability to 
boot a physical host from a VHD. It's 
fully supported to boot a host run¬ 
ning Hyper-V from a fixed-size VHD, 
and it's a common architecture that 
can simplify deployment. (The free 
Hyper-V Server 2008 R2 also supports 
boot from VHD.) It's not advised, 
however, to place VHDs for virtual 
machines (VMs) inside the VHD that 
Hyper-V boots from. You should place 
the VHDs for VMs on a SAN or volume 
outside of the booted VHD, such as a 
D drive that isn't virtualized. 

—John Savill 
InstantDocID 135968 


Q: I'm trying to install Lync Server 
2010 on Windows Server 2008 R2 
SP1, but the Setup or Remove Lync 
Server Components in the Deploy 
part of installation gives a prereq¬ 
uisite Wmf2008R2 failure. What 
can I do? 

A: Server 2008 R2 SP1 changed the 
package version of the Windows Media 
Format runtime, and Lync setup is looking 
for the pre-SPI version. The solution is to 
manually add the Windows Media Format 
runtime package from an elevated com¬ 
mand prompt. Use the command 

%systemroot%\system32\dism.exe /online 
/add-package /packagepath:%windir%\ 
servicing\Packages\Microsoft- 
Windows-Media-Format- 
Package~31bf3856ad364e35~amd64~~ 

6.1.7601.17514.mum /ignorecheck 

Once the reboot is complete, restart the 
Lync Server 2010 installation. After doing 
so, you'll get past the Wmf2008R2 prereq¬ 
uisite failure. 

—John Savill 

InstantDocID 136047 
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ASK THE EXPERTS ■ 


Q: What's VMware's PVSCSI driver, 
and how do you convert an existing 
virtual machine (VM) to use it? 

Al PVSCSI is the VMware Paravirtual SCSI 
driver. This driver is designed for use in 
VMs with very high storage performance 
requirements. According to VMware 
knowledgebase article 1010398 (kb 
.vmware.com/kb/1010398), the PVSCSI 
driver is "best suited for environments, 
especially SAN environments, where 
hardware or applications drive a very high 
amount of I/O throughput."VMware sug¬ 
gests this adapter isn't intended for DAS 
storage. 

The PVSCSI driver might increase stor¬ 
age performance for VMs with heavy stor¬ 
age utilization across SAN connections, 
but it does so with a set of limitations. 
Found in the same knowledgebase article, 
those limitations are: 

• Hot add or hot remove requires a bus 
rescan from within the guest. 

• Disks with snapshots might not 
experience performance gains when 
used on Paravirtual SCSI adapters 

or if memory on the ESX host is 
overcommitted. 

• If you upgrade from RHEL 5 to an 
unsupported kernel, you might not 
be able to access data on the virtual 
machine's PVSCSI disks. You can run 
vmware-config-tools.pl with the kernel- 
version parameter to regain access. 

Be cautious and test thoroughly prior to 
implementing VMware's PVSCSI driver. 
Some OSs aren't supported, the limita¬ 
tions above may have an impact on VM 
operations, and some workloads won't see 
a measurable performance benefit. 

Prior to vSphere v4.0 Update 1, the 
PVSCSI driver didn't support booting Win¬ 
dows guests. Windows guests requiring 
the PVSCSI driver were recommended to 
create separate boot and data drives, with 
the PVSCSI driver operating exclusively for 
the data drive. 

The PVSCSI driver supports boot¬ 
ing Windows guests with the release of 
vSphere v4.0 Update 1 .This driver must 
be installed into the Windows guest from 
the VMware Tools or its VMware-supplied 
floppy disk image. Floppy disk images 
with the driver can be found in the / 


vmimages/floppies directory on an ESX/ 
ESXi host. Existing OSs can be migrated 
to the PVSCSI driver using the following 
process: 

1. Upgrade the VMware Tools to the 
current version or install the PVSCSI driver 
from its floppy disk image. 

2. Add a new virtual hard disk of any 
size to the VM. Attach it to SCSI node 1 :x. 

3. Change the type of the new virtual 
hard disk to VMware Paravirtual. 

4. Power on the VM, log on, and allow 
it to complete any driver installations. 

Then, power down the VM. 

5. Remove the just-created virtual hard 
disk from the VM and change the type 

of the original SCSI controller to VMware 
Paravirtual. 

6. Finally, power back on the VM and 
remove the device drivers for the old SCSI 
adapter in Device Manager. These device 
drivers may be hidden. To expose the hid¬ 
den device drivers, enter the following two 
commands to start Device Manager. 

set devmgr_show_nonpresent_devi ces=l 
start devmgmt.msc 

7. Once it's started, select View, Show 
Hidden Devices to expose and remove the 
hidden drivers. 

—Greg Shields 

InstantDocID 135898 

Q: How can I check the effect of 
the Windows Address Space Layout 
Randomization (ASLR) feature on a 
Windows system? 

A: ASLR is a new security feature that 
Microsoft introduced in Windows Vista 
that makes it harder for malware to use 
a system DLL's services by randomizing 
the DLLs'memory locations in system 
memory. You can easily observe the effect 
of ASLR by using the Sysinternals Process 
Explorer tool, which you can download 
from tinyurl.com/289vcz. 

To see ASLR's effects, start Process 
Explorer and ensure that you've selected 
both the Show Lower Pane and the Lower 
Pane View/DLLs options in the View menu. 
Then select the explorer.exe process in the 
upper pane and check the base address 
of the ntdll.dll in the base column in the 
lower pane. (If you don't see the Base 


column, you can add it by using the View / 
Select Columns... menu option—it can be 
added from the DLL tab by selecting the 
Base Address box.) Write down the base 
address and then reboot your system. On a 
Windows XP system, you'll notice that the 
base address for ntdll.dll remains identical 
after a system reboot (XP doesn't support 
ASLR). On a Windows Vista or Windows 7 
system, you'll notice the base address will 
be different after a system reboot (both 
Vista and Windows 7 support ASLR). 

—Jan De Clercq 

InstantDocID 135897 

Q: My new installation of Windows 
Server won't activate against my 
Key Management Service (KMS) 
server and prompts me for a key. 
Why? 

A: Sometimes installations can get a 
little confused about their product keys, 
especially when you've been given a 
Sysprep'd image you duplicate. So the 
easiest way to activate via the KMS is to 
re-enter the KMS key for your version 
of Windows—they're listed at on the 
TechNet page "Configuring KMS Clients" 
(tinyurl.com/28x8247)—then activate. 
Below is an example for Windows Server 
2008 R2 Enterprise edition. 

cscript slmgr.vbs /ipk 489J6-VHDMP- 
X63PK-3K798-CPX3Y 
cscript slmgr.vbs /ato 

—John Savill 

InstantDocID 136048 

Q: Are dynamic disks supported on 
a failover cluster? 

A: For both Windows Server 2008 and 
Server 2008 R2, dynamic disks aren't sup¬ 
ported. Only basic disks that can use MBR 
or GPT partition styles may be used. If you 
need to use dynamic disks, you can use 
Veritas Storage Foundation for Windows, 
which adds dynamic disk support. In most 
situations, a dynamic disk isn't actually 
required. Large disk support over 2TB is 
provided by GPT disks, and volumes can 
be expanded and shrunk using standard 
Server 2008 R2 functionality. 

—John Savill 

InstantDocID 130071 
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■ ASK THE EXPERTS 


Q: Is there a way to run a report to 
make sure a Group Policy setting 
has been applied to a group of 
computers? 

Al There's no capability in standard Group 
Policy or the Group Policy Management 
Console to run a server-side report of 
Group Policy application, because clients 
pull Group Policy Objects (GPOs)—they're 
not pushed and applied by the server. One 
option is to use GPResult on the client. 
(GPResult is part of both server and client 
OSs—you don't need to install anything.) 

It lists all applied policies then parses that 
with a script and reports back to a data¬ 
base. However, you need some custom 
scripting to do this. 

Another option, if you have some kind 
of desktop management tool, is to use 
desired configuration capabilities, such 
as Desired Configuration Management 
in System Center Configuration Manager 
2007. Desired Configuration Management 
lets you specify configuration items that 
should be applied to a machine, such as 
policies, and then report if a machine falls 
out of that desired configuration. You 
could then report on machines that don't 
have the policy. There are also third-party 
tools that can help report on Group Policy 
application. 

—John Savill 

InstantDoc ID 135967 

Q: What's power optimization in 
System Center Virtual Machine 
Manager (VMM) 2012? 

Al VMM 2012 comes with new features 
that greatly improve the clustering 
experience for Hyper-V hosts. One of 
those features, dynamic optimization, uses 
cluster-wide monitors and calculations 
to load-balance virtual machines (VMs) 
across available Hyper-V hosts. Another 
new feature, power optimization, provides 
a function for clusters that's similar in 
some ways, but very different in others. 
Dynamic optimization's job is to create 
the best balance of VMs across hosts, and 
power optimization is aimed at doing 
the same, while also consolidating VMs 
where possible. By consolidating VMs onto 
fewer hosts but still maintaining a balance 
of resources, Hyper-V servers that find 


themselves no longer hosting VMs can be 
safely powered down. Those same hosts 
can be powered on when balancing calcu¬ 
lations require VMs to be migrated. 

Power optimization works together 
with dynamic optimization and any 
configured resource thresholds, and can 
be enabled or disabled separately from 
dynamic optimization. Because VMM 2012 
was only recently released as a beta, addi¬ 
tional details are still to come. Microsoft 
discusses more about power optimization 
onTechNet. 

—Greg Shields 

InstantDoc ID 135902 

Q: How does System Center Virtual 
Machine Manager (VMM) 2012 
improve Hyper-V cluster creation? 

At Hyper-V has, since its inception, relied 
on Windows Failover Clustering as its 
solution for virtual machine (VM) high 
availability. Windows Failover Clustering is 
a mature technology that has been oper¬ 
ating since the days of Windows NT, and 
it remains a general-purpose clustering 
solution. As a result, the same technology 
that enables high availability for DNS or 
file servers is used for failing over Hyper-V 
VMs. 

While this general-purpose architec¬ 
ture is very flexible, it can also be daunting 
to IT pros who aren't clustering experts. 
Windows Failover Clustering comes 
equipped with a range of settings for tun¬ 
ing cluster services, not all of which may 
be appropriate or necessary for enabling 
Hyper-V high availability. VMM 2012 eases 
the process of creating Hyper-V clusters by 
incorporating cluster creation into VMM. 

In VMM 2012, creating a new Hyper-V 
cluster requires little more than clicking 
Create, Hyper-V Cluster and following a 
short wizard. This wizard-driven process 
simplifies cluster creation and reduces the 
risk of a misconfiguration that could lead 
to VM failure. 

Servers must be properly configured 
prior to joining them to a cluster with 
VMM's new wizards. The correct configura¬ 
tion is documented in the Microsoft article 
"Creating a Hyper-V Host Cluster Prerequi¬ 
sites," tinyurl.com/3w5l2mh. 

—Greg Shields 

InstantDoc ID 135900 


Q: I want to reboot all the 
machines in my organization each 
night at 2 a.m. unless a user wants 
to cancel it. What's the easiest 
way to do this without additional 
software? 

At It's fairly easy to create a recurring 
scheduled task that runs every night at 
2 a.m. Within that task, you could do a 
check for the existence of a file, and if the 
file exists, skip the reboot and delete the 
file (so next time it will reboot). If the file 
doesn't exist, reboot. You could then add 
a shortcut on your users'desktops that 
creates the file if they click it. A very basic 
batch file to check for a file in Public docu¬ 
ments could be the following, saved as 
schreboot.bat: 

©echo off 

IF EXIST C:\Users\Public\Documents\ 
stopreboot.txt ( 
del C:\Users\Public\Documents\ 
stopreboot.txt 
) ELSE ( 

echo rebooting in 60 seconds 
shutdown /r /t 60 
) 

exit 

For the desktop shortcut, you could save 
the following single line as noreboot 
.bat on each user's desktop. 

echo Stop > "C:\Users\Public\Documents\ 
stopreboot.txt" 

For help scheduling the daily calling of 
the task, see the Microsoft page "Schedule 
a task" (tinyurl.com/6cszn3c). Fora large 
number of computers, you could push 
with a Group Policy preference, which is 
found under Computer Configuration, 
Preferences, Control Panel Settings, Sched¬ 
uled Tasks. The scheduled task would just 
call the schreboot.bat file running as NT 
AuthorityXSystem every day at 2 a.m. 

This is just a very high-level example 
and one way. There would be others, and 
there are more elegant software solutions. 
Also, I stress that you should take a close 
look at whether a nightly reboot is really 
required. 

—John Savill 

InstantDoc ID 135891 
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ASK THE EXPERTS ■ 


Q: What software and roles can 
I install on a domain controller 
(DO? 

Al There is no definite right or wrong here 
(unless you want to install a major applica¬ 
tion, such as Exchange, on your DC—which 
is wrong). Generally, you want a DC to 
be just a DC, with nothing else, because 
this reduces possible resource conflicts 
and exploit vulnerabilities and minimizes 
patching of other applications that might 
cause downtime. Ideally, a DC should be 
easy to replace, just by standing up another 
DC. When you put other software and roles 
on a DC, you make it harder to replace it. 

There are certain pieces of software and 
roles you probably will run on your DCs: 

• Anti-virus software (make sure you have 
your exceptions configured to avoid 
conflict with AD) 

• Backup agents (e.g.. System Center Data 
Protection Manager) 

• Monitoring agents (e.g.. System Center 
Operations Manager) 

• Patching and management (e.g.. System 
Center Configuration Manager) 

• Identity management agent or code 
(e.g.. Forefront Information Lifecycle 
Management) 

• DNS role (because of the integration 
possible with AD) 

• File Replication Service and Distributed 
File System Replication (used for SYSVOL 
replication) 

• Management scripts 

While not recommended necessarily, you 
might also see the following on DCs, and 
they shouldn't be huge problems: 

• Security policy software where Group 
Policy isn't the primary tool 

• DHCP services 

• Network packet capture software for 
troubleshooting 

. WINS 

• Password filters 

• Event log consolidation programs 

• Key Management Service (KMS) 

This isn't exhaustive, but it should give 
you the right idea about what's common. 
Just remember to keep your DCs light so 
they're easy to replace. 

—John Savill 

InstantDoc ID 130074 


Q: I'm using a Windows Server 
2008 R2-based virtual desktop 
infrastructure (VDI) connecting to 
Windows 7 guests. What do I need 
to do to get the Aero Glass theme 
when I connect? 

A: When you set up a VDI pool, the 
pool is configured with certain settings 
that are used when you connect, using 
either RDWeb or your computers' local 
RemoteApp and Desktop Connections.To 
get the Aero Glass theme, use the Remote 
Desktop Connection Manager tool. Go 
to RD Virtualization Host Servers - <Your 
Pool> and then click Change for your 
VDI pool settings. Under Common RDP 
Settings, select Highest Quality (32 bit) 
for Color. (You can also choose to allow 
font smoothing.) Now go to the Custom 
RDP Settings and apply more settings to 
ensure you get a full-fidelity graphical 
experience. 

Below are the settings you need for 
Aero, in text form for easy cutting and 
pasting. They include allowing desktop 
composition (which is how Aero works), 
enabling themes and wallpaper, specify¬ 
ing a LAN connection (connection type:6), 
and some other settings. 

screen mode id:i:1 

desktopwidth:i:1024 

desktopheight:i:768 

keyboardhook:i:1 

audiocapturemode:i:0 

connection type:i:6 

compression:i:1 

videoplaybackmode:i:1 

disable wallpaper:i:0 

allow desktop composition:!:! 

disable full window drag:i:0 

disable menu anims:i:0 

disable themes:i:0 

disable cursor setting:i:0 

bitmapcachepersistenable:i:1 

If you want to see exactly what each 
setting does, see theTechNet page 
"RDP Settings for Remote Desktop 
Services in Windows Server 2008 R2" 
at tinyurl.com/6htsfng, which gives 
details about every setting that's 
possible. 

—John Savill 

InstantDoc ID 135959 


Q: How can I allocate a greater 
share of my CPU resources to 
some users than to others using 
Windows Server 2008 R2's Remote 
Desktop Services? 

A: One of the great enhancements to 
Server 2008 R2 was the addition of a 
kernel-level fair-share CPU algorithm. This 
algorithm makes sure that when there's 
contention for CPU resources, all of your 
sessions get an equal amount of CPU. This 
helps stop a runaway process from con¬ 
suming more resources than it should. This 
functionality was possible under Server 
2008 using Windows System Resource 
Manager's (WSRM's) Equal_Per_Session 
policy, but WSRM could take seconds 
to enforce the fair sharing, which could 
sometimes be too late to avert prevent 
negative performance for other sessions. 
The Server 2008 R2 kernel-level fair-share 
enforces in milliseconds, so it's far more 
timely. 

I had a few different readers write in to 
tell me that fair-share is great, but some 
of them need to weight CPU allocations 
for their sessions instead of giving every 
user in their environments equal alloca¬ 
tions. To do this, go back to using WSRM. 
There's a WSRM policy in Server 2008 
R2 called Weighted_Remote_Sessions 
that lets you categorize users into three 
groups (premium, standard, and basic) 
that prioritize CPU usage in the order 
listed. 

To use WSRM, add the WSRM feature 
using Server Manager. Once it's installed, 
start the Microsoft Management Console 
(MMC) WSRM snap-in from the Admin¬ 
istrative Tools folder, open Resource 
Allocation Policies, right-click Weighted_ 
Remote_Sessions, and select Properties. 
You can now add users using the Add 
button. Select the appropriate Priority 
from the drop-down, then add specific 
users. 

You can repeat these steps for each 
of the various priorities you want to use. 
Once you've added all the users, select the 
Weighted_Remote_Sessions policy and 
then select the Set as Managing Policy 
action. You may be prompted to restart 
WSRM—select Yes. ♦ 

—John Savill 
InstantDoc ID 135966 
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How to work 
around 5 
problems 
plaguing it 

by Darren Mar-Elia 
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A lthough Group Policy was introduced more than a decade ago, it's still the main way 
numerous Windows shops configure, lock down, and secure their Windows servers and 
desktops. With such an important job on the line, you would think that Group Policy 
would have evolved the way Windows OSs have, but that simply hasn't been the case. 
Group Policy's infrastructure, core functionality, and core capabilities have seen only 
minor tweaks and bug fixes since its debut in Windows 2000. Although new features (e.g.. 
Group Policy preferences) and additional policy areas (e.g., wired and wireless networking) have been 
added to Group Policy, what you knew about how Group Policy worked in Win2K still largely applies 
today. So, it's high time to write about the significant problems in Group Policy that have appeared 
over the years and how you can work around them. 

Group Policy Replication Inconsistencies 

Problem: The storage for Group Policy Object (GPO) settings is split between the Group Policy 
Container (GPC) in Active Directory (AD) and the Group Policy Template (GPT) in SYSVOL. When 
you make a change to a GPO, the Group Policy Editor (GPE) writes changes to one or both, depend¬ 
ing on what is being written. Most settings are written only to the GPT, but there are exceptions. Eor 
example, the GPE writes wired and wireless networking settings only to the GPC and software instal¬ 
lation settings to both the GPC and GPT. 

When you change a GPO, the change has to replicate to all domain controllers (DCs) in the 
environment before clients can successfully process the change. But this replication happens using 
two different mechanisms—one for SYSVOL and one for AD. Up until Server 2008, the SYSVOL 
mechanism used the Eile Replication Service (ERS), which was fraught with problems and thus caused 
inconsistencies between the AD part and the SYSVOL part of the GPO. It was only with the release 
of Server 2008 and its support for DPS Replication (DPSR) for SYSVOL that this situation improve 
significantly. However, most shops haven't yet migrated to DPSR for SYSVOL. This inconsistency 
in replication means that you can't be sure that a client has the most up-to-date version of a GPO 
when the client is processing Group Policy from the local DC. This can result in some clients having 
the policy and others not, which isn't helpful if you're relying on Group Policy for crucial security or 
desktop lockdown settings. 

Workaround: If your AD infrastructure uses Server 2008 R2 or Server 2008, you should look into 
migrating your SYSVOL replicas to DPSR. Although the domain functional level needs to be set to 
Windows Server 2008 to take advantage of DPSR for SYSVOL, the reliability of GPO replication will 
greatly increase. 

If you aren't at a point where you can take advantage of DPSR for SYSVOL, 1 highly recommend 
that you have tools in place to help monitor GPO replication. The GPOTool.exe command-line 
utility (which is part of the Microsoft Windows Server 2003 Resource Kit) reports GPO replication 
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inconsistencies, but frankly, it's fairly lim¬ 
ited and sometimes doesn't work at all. 
For my own environment, I created a 
Windows PowerShell cmdlet that I can 
use to quickly check a given GPO across 
all my DCs. As Figure 1 shows, the Get- 
SDMGPOVersion cmdlet checks only 
the GPO version numbers in AD and 
SYSVOL—it doesn't look at the actual 
file data between all SYSVOL replicas. 
However, version number inconsistencies 
can be a good warning sign that something 
is wrong. You can download the free Get- 
SDMGPOVersion cmdlet by going to www 
.gpoguy.com/Free-GPOGuy-Tools.aspx 
and clicking the GPO Version PowerShell 
Cmdlets link. 

In addition, it's an excellent idea to have 
some general FRS monitoring in place to 
let you know if your FRS infrastructure is 
on the fritz. Microsoft has a free tool named 
Ultrasound (bit.ly/gPYCzT) that serves this 
purpose well. 

Client-Side Processing Doesn't Fail 
Gracefully 

Problem: If you're familiar with Group 
Policy processing, you know that client 
machines (servers or workstations) are 
responsible for pulling policy settings from 
DCs on a periodic basis, at startup, or at 
logon. For that to happen successfully, two 
events must take place: 

1. The clients must successfully query 
AD to determine which GPOs apply to the 
current computer and/or user. 

2. Each client-side extension or policy 
area must successfully execute the logic to 
process the policy settings. 


In each step, the Group Policy engine's 
robustness is limited. For example, if a 
client encounters a DC that has SYSVOL 
inconsistencies or if the DC fails to respond 
to requests for GPO-related information, 
the client's engine simply gives up Group 
Policy processing. There's no notion of the 
engine failing over to a different DC to try 
its tasks again, even though there's redun¬ 
dancy built into AD. 

In addition, if an individual client-side 
extension encounters an exception it can't 
handle (e.g., corrupt settings within a given 
GPO) during its processing cycle, it will 
typically fail completely, which means that 
no other client-side extensions can run after 
it. So, a failure in one client-side extension 
usually brings down the entire Group Policy 
processing cycle. This lack of robustness 
makes it difficult to rely on Group Policy as 
a security configuration mechanism. 


Workaround: The bad news is that 
there's no hard and fast solution to getting 
around this particular problem. The good 
news is that it happens infrequently. The 
best strategy is to prevent these kinds of 
failures from impacting your environment 
by having a good monitoring system in 
place on client machines to detect failures 
in Group Policy processing. On Windows 
XP and Windows Server 2003 machines, 
this means looking for error events with a 
source of type Userenv in the application 
event log. On Windows 7, Server 2008 R2, 
and Server 2008 machines, this means 
monitoring the Group Policy operational 
log for failure events, as shown in Figure 2. 
By monitoring failed events on your clients, 
you might not be able to eliminate prob¬ 
lems but you should be able to proactively 
spot and correct them. 

Not All OS Configuration Features 
Are Supported 

Problem: Given that Group Policy is the 
mechanism for configuring Windows OSs, 
you'd expect that you should be able to use it 
to configure pretty much everything related 
to Windows. Unfortunately, that isn't the 
case. When Microsoft releases a new OS 
version, it does a pretty good job of adding 
policy settings to cover the new features, 
especially within Administrative Templates. 
But to say that every feature in Windows is 
configurable through Group Policy would be 
a gross overstatement. Many configuration 
tasks that you might want to perform with 
Group Policy aren't currently supported. For 
example, you can't use Group Policy to: 



Figure 2: Monitoring failed Group Policy processing events in the Group Policy operational log 
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• Configure the security settings for the 
.NET Framework. 

• Configure network stacks (outside 
of firewalls and IPsec, which are 
supported). 

• Add and remove Windows roles or 
features. (Not being able to add or 
remove roles is especially irritating 
because it seems like the perfect task 
for Group Policy.) 

Workaround: If a particular configu¬ 
ration item doesn't have its own Group 
Policy setting, you can leverage the free¬ 
form capabilities of Group Policy-based 
scripts to make changes to the item. 
Under Computer Configuration\Policies\ 
Windows Settings\Scripts, you have the 
ability to run startup and shutdown scripts 
on a computer. Similarly, under User 
Configuration\Policies\Windows Settings\ 
Scripts, you have the ability to run logon 
and logoff scripts for a user. So, if a configu¬ 
ration item is scriptable, you can make the 
changes using Group Policy-based scripts. 
For example, Netsh.exe is command-line 
tool that lets you make network stack 
changes. You can create a startup script 
that uses Netsh.exe to change a network 
stack's configuration, then add that script 
to a GPO. Another example is creating a 
startup script that uses the command-line 
Ocsetup.exe utility to install a Windows fea¬ 
ture, then adding that script to a GPO. 

When using Group Policy-based scripts, 
you need to keep in mind the security 
context in which each type of script runs. 
Startup and shutdown scripts run in the 
context of the LocalSystem account, which 
is privileged enough to do most any kind 
of operation on a server or workstation. 
Conversely, logon and logoff scripts run 
in the context of the user, who is probably 
not privileged on his or her system. So, 
you would implement most computer- 
related configuration changes with startup 
scripts. 

You also need to keep in mind that 
startup and logon scripts run only in the 
foreground. This means that startup scripts 
run only when the computer is rebooted, 
and logon scripts run only when the user 
first logs on. If you need an installation 
to run in the background, regardless of 
machine or user state, you should con¬ 
sider using the Group Policy preferences' 


Scheduled Tasks feature to create sched¬ 
uled tasks that execute commands based 
on the time of day. 

RSoP Shortcomings 

Problem: As 1 mentioned previously, 
numerous Windows shops use Group 
Policy's security configuration capability 
for the important task of securing their 
Windows servers and desktops. This is 
a must-have rather than a nice-to-have 
capability for many organizations, espe¬ 
cially those with regulatory concerns. And 
related to those concerns is the need to 
audit whether the security configurations 
were successfully delivered and applied 
to the targeted systems (e.g., registry, file 
system, SAM database). 

Group Policy provides the Resultant Set 
of Policy (RSoP) feature to report on policy 
processing. RSoP lets you check whether 
GPOs and settings were received by a given 
server, workstation, or user, as Figure 3 
shows. However, using RSoP as a compli¬ 
ance and audit tool has its shortcomings: 

• RSoP tells you what GPOs and settings 
were delivered to clients, but it doesn't 
validate that they were successfully 
applied to the clients' registry or 

file system. So, as an audit tool, 

RSoP probably won't pass muster in 
regulated environments in which you 
need to show, without a doubt, that a 
system has been properly secured. 

• There's no enterprise reporting 
capability for RSoP data. The Group 
Policy toolset doesn't include a 
tool that collects RSoP data across 
all workstations and servers and 
summarizes it to give you at-a-glance 


feedback on whether a policy has 
been delivered to all your systems. The 
lack of a feedback loop makes Group 
Policy problematic to rely on for crucial 
security configuration tasks. 

Workaround: There's no quick fix for 
this problem, but there are several things 
you can do. If you're using Microsoft System 
Center Configuration Manager (SCCM), 
you can use its Desired Configuration 
Management (DCM) feature to validate 
security settings across an enterprise. In 
addition, you can download Microsoft's 
Security Compliance Manager (SCM) at 
tinyurl.com/SCM-Download. This free tool 
is designed to help you write a security 
baseline policy that you can export to a 
GPO backup or DCM baseline. This makes 
it easy to integrate the creation of secu¬ 
rity baselines into delivery through Group 
Policy and reporting through SCCM and 
DCM. 

If you aren't using SCCM, there are 
a couple of tools you can use to obtain 
some audit information. 1 created a free 
PowerShell cmdlet called the Group Policy 
Health Cmdlet, which you can down¬ 
load at www.sdmsoftware.com/freeware. 
This cmdlet lets you query remote sys¬ 
tems by machine, organizational unit 
(OU), or domain. It returns information 
about what GPOs have been processed 
and whether there were any processing 
errors. (It doesn't return any information 
about whether the policy settings were 
delivered to a machine.) As Figure 4 shows, 
the OverallStatus entry lets you quickly see 
whether a GPO was successfully processed 
(green) or not (red). It also provides details 



Figure 3: Checking RSoP results 
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Figure 4: Checking which GPOs have been successfully processed with the Group 
Policy Health Cmdiet 


about the GPO processing on each targeted 
system. 

Another tool you can use is Microsoft's 
free GPInventory.exe tool, which you can 
download at bit.ly/h5uOi7. Although this 
tool was designed for XP and Windows 
2003, it collects basic Group Policy infor¬ 
mation, including some RSoP data, from 
multiple machines in an environment. It 
can help get you part of the way toward the 
goal of knowing the Group Policy status 
across your Windows systems. 

Lack of Features Optimized for 
Servers 

Problem: Group Policy was primarily 
designed as a desktop configuration man¬ 
agement solution. Its use in server environ¬ 
ments is common, but it lacks some key 
features that make it useful as a server- 
based solution. Chief among these is its 
lack of a deterministic delivery mechanism 
geared toward the special needs of servers. 
How many of you manage server environ¬ 
ments in which it would be OK to tell your 
boss that the security configuration that 
you're going to do tonight will happen 
"sometime within the next 2 hours or when 
1 reboot the server"? Most server changes 
are subject to rigorous change controls and 
need to happen at a given time to prevent 
outages. Because Group Policy processing 
is a pull-based mechanism that happens in 
the background every 90 minutes or in the 
foreground on a machine reboot or user 
logon, it doesn't lend itself to the precision 
typically required for server changes. 

Another downside to using Group 
Policy to configure servers is that the types 
of configurations you typically want to 
make (outside of security configurations) 


generally aren't supported out of the box 
(e.g., the lack of support for adding and 
removing server roles and features). Thus, 
you have to rely on scripting. 

Finally, Group Policy's inheritance fea¬ 
ture (i.e., a given user or computer can 
be subject to a number of different GPOs 
linked to their AD hierarchy) is a useful 
feature for workstations but leads to com¬ 
plications with servers. When managing 
server configurations, you need to know in 
advance what settings are going to apply 
to a given server when you make a Group 
Policy change. The RSoP modeling feature 
can help provide this information, but the 
Group Policy toolset doesn't include a 
good conflict-analysis tool that will tell you 
what settings will be affected when you 
implement a new setting. This ambiguity 
isn't good for server environments. 

Workaround: Each problem area 1 
just pointed out requires a different work¬ 
around. To work around the missing deter¬ 
ministic delivery mechanism, you can use 
several different tools to make your Group 
Policy changes take effect within a par¬ 
ticular timeframe. The first is Specops 
Software's free Specops Gpupdate tool 
(www.specopssoft.com/products/spec- 
ops-gpupdate). This graphical tool essen¬ 
tially lets you run a GPUpdate command 
against a group of remote machines, effec¬ 
tively forcing them to update their policy 
at the moment you trigger it. You could 
use this after deploying a policy change to 
ensure that your servers get the update in 
a timely fashion. 

If your configuration changes fit into the 
capabilities of Windows Scheduled Tasks, 
you could use the Group Policy prefer¬ 
ences' Scheduled Tasks feature to control 


when a configuration change is performed. 
You could also use the Group Policy pref¬ 
erences' Item-Level Targeting feature to 
apply a time-bound policy setting so that 
the policy setting applies only if the time 
on the targeted system is within the speci¬ 
fied range. However, your time window has 
to be wide enough to accommodate the 
normal 90-minute Group Policy refresh 
interval—otherwise you might miss it. 

To work around unsupported server 
configurations, you can leverage Group 
Policy-based scripts, as 1 described in 
the "Not All OS Configuration Features 
Are Supported" section. The configura¬ 
tion item must be scriptable to use this 
workaround. 

To work around inheritance challenges, 
the best advice 1 can give is to try to limit 
the number of GPOs that you deploy to 
server systems and segregate them by 
function. Ideally, you would deploy one 
GPO for all security changes, one GPO for 
all registry changes, and so on. You might 
not be able to reach this goal, but getting 
close helps minimize inheritance-related 
problems. 

Creativity, Patience, and 
Workarounds 

I've laid out a number of Group Policy prob¬ 
lems that Microsoft isn't likely to address 
any time soon. There are other problems 
as well. But all things being equal. Group 
Policy is still a pretty good solution for 
managing enterprise configuration on your 
Windows systems. Given enough creativity, 
patience, and the workarounds 1 described, 
you can build a reliable Group Policy infra¬ 
structure. And although you might not be 
able to pass the most stringent audit using 
Group Policy tools alone, you should be 
able to accomplish many of your desktop 
and server lockdown tasks without resort¬ 
ing to much more expensive solutions. 

InstantDoc ID 136034 
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Drive the 
implementation 
of four 
complementary 
concepts: 
standardization, 
compliance, 
automation, 
and self-service 

byJohnSavill 


S ystem Center Service Manager 2010 is a mystery to most people. Is it a ticketing system? Is 
it a change management system? Is it a workflow engine? It's all of these and more. 

In most organizations, IT operations are trying to reduce costs, improve the end-user 
experience, deliver services faster, and achieve better reporting and data sharing to meet 
internal and regulatory compliance requirements. To help meet these goals. Service 
Manager drives the implementation of four key concepts: standardization, compliance, 
automation, and self-service. These concepts complement each other. If you want to have compliant 
systems, you need to standardize the environment and the easiest way to standardize is through auto¬ 
mating processes. Automation is the key to enabling self-service for end users and facilitates users trig¬ 
gering a certain workflow, which is completed without further human intervention unless desired. 

Before looking at Service Manager in detail, it's important to understand that it's built around 
key IT Infrastructure Library (ITIL) concepts. Although not required, I recommend gaining a basic 
understanding of the ITIL fundamentals before implementing Service Manager. Right now. I'll just 
focus on a few key ITIL terms you'll need to know: 

• Incident management: An incident is an event that isn't part of standard operations and might 
impact service delivery. The incident management process returns service to normal as quickly 
as possible, minimizing the incident's impact. A user or system reports (i.e., raises) incidents. The 
incident might lead to a change request or problem ticket. 

• Change management: The change management process ensures standard methods and 
procedures are used for any change activity. Change requests are managed through the change 
management process. 

• Problem management: The problem management process identifies the causes of incidents and 
prevents recurrences of the issue. 

• Configuration items: A configuration item is ITIL's term for an object, such as a computer or user. 
• Work items: A work item is ITIL's term for something that needs some work performed, such as 
an incident, change request, or problem. 


Now that you're familiar with the terms used in Service Manager, let's look at what it is, what you need 
to deploy it, and how to use it. 

Background 

Service Manager's power comes from its configuration management database (CMDB) and its inte¬ 
gration with other IT systems. CMDB links to IT systems and stores information about them. Service 
Manager provides various portals and workflows to access the information in CMDB. 

Out of the box. Service Manager integrates with Active Directory (AD), System Center Operations 
Manager, and System Center Configuration Manager (SCCM), which gives Service Manager knowl¬ 
edge about your systems, people, hardware, and software. You can also integrate Service Manager 
with other products in the System Center family (e.g., Opalis) and Microsoft Exchange. Plus, you 
can use PowerShell to connect to third-party systems. Figure 1 shows Service Manager's complete 
architecture and integration. 


Windows IT Pro 


We're in IT with You 


26 


JULY 201 1 


www.windowsitpro.com 










SERVICE MANAGER 2010B 



Figure 1: Service Manager's main components 


Integrating with other systems is great 
for collecting information and reporting— 
and a whole lot more. A powerful workflow 
engine lets Service Manager initiate com¬ 
plex sequences of actions on connected 
systems across multiple platforms. The 
actions can be initiated by users through 
web-based portals or in response to alerts 
generated by connected systems. Here are 
some examples: 

• If Operations Manager triggers an alert, 
Service Manager can automatically 
generate an incident, then follow a 
predefined workflow. The workflow 
might entail a number of steps, such 
as notifying groups by email about 

the alert, requesting input from an 
analyst, and using SCCM to perform an 
action. You can automate as little or as 
much as you want. More automation 
means better standardization, less 
administrator overhead, and better 
compliance with requirements. Even if 
automation isn't used, you can use the 
Service Manager console to manage 
Operations Manager alerts and see 
information related to the incident. 
Being able to obtain information from 
all the management systems (e.g., AD, 
SCCM) rather than just the information 
from Operations Manager might expose 
details that will aid in the resolution of 
the incident. 

• When Service Manager is integrated 
with SCCM, all of the inventory and 
packaged application information is 


available to Service Manager. Thus, 
you can implement workflows that 
allow users to access the Service 
Manager self-service portal to request 
a software installation. Users are 
presented with a software list that's 
automatically populated using the 
inventory and packaged application 
information in SCCM. If a user selects 
software that requires a license. 
Service Manager can send an email 
to the user's manager, asking him or 
her approve the software installation. 
Once approved, the Service Manager 
workflow adds the user or the user's 
primary computer (which is known 
based on SCCM asset intelligence) 
to a SCCM collection (i.e., a group of 
defined computers in SCCM that are 
used as the targets of deployments) 
to facilitate the installation of the 
software. 

• SCCM has a great feature named 
Desired Configuration Management. 
It allows a baseline to be created on 
how a system should look, which can 
be defined in terms of files, registry 
settings, software packages, and 
configurations. The baseline enables 
standardization and compliance on 
applied systems. If a system deviates 
from the baseline, SCCM reports on 
this deviation. However, it doesn't 
take action to make the system 
compliant with the desired state. 
Service Manager fills this gap. For 


instance, when a machine falls out 
of the desired configuration. Service 
Manager can create an incident, 
which triggers workflows that will 
make the machine complaint again. 
Making the machine compliant is 
typically achieved by interacting with 
SCCM to re-install software or reset 
configurations. 

Requirements 

Before I go any further, I want to talk about 
the servers and software you'll need to 
implement Service Manager. To begin, 
you'll need at least two Service Manager 
servers, which can be physical or virtual. 
The Service Manager servers take on dif¬ 
ferent roles: One becomes the Service 
Manager management server, and the 
other becomes the data warehouse man¬ 
agement server. Both servers require the 
64-bit version of Windows Server 2008 SPl 
or later. 

The Service Manager management 
server is Service Manager's brain. It man¬ 
ages connections, manages the integration 
with other systems, executes workflows, 
and performs any other action that's 
required. This server has its own database, 
which must be hosted on the 64-bit version 
of SQL Server 2008 SPl or later. 

Typically, a Service Manager manage¬ 
ment server can handle around 80 concur¬ 
rent active console sessions. To handle 
more active console sessions, you can 
add additional servers to form a Service 
Manager management group. The servers 
in the group can share the same database. 

The data warehouse management 
server houses and manages the data ware¬ 
house, which consists of three databases 
hosted on the 64-bit version of SQL Server 
2008 SPl or later. The data warehouse 
is used for the long-term archival of the 
information that Service Manager gener¬ 
ates or gathers. In addition, all reports 
are run against the data warehouse. After 
you create the data warehouse manage¬ 
ment server, you connect it to the Service 
Manager management server to enable 
the transfer of data into the data ware¬ 
house and establish the link to the Service 
Manager console. 

Service Manager uses SQL Server 
Reporting Services (SSRS) for reports. 
SSRS typically runs on the data warehouse 
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management server, but this doesn't have 
to be the case. Reports can be run from the 
Service Manager console or through the 
browser-accessible SSRS interface. 

In test environments, the data ware¬ 
house management server doesn't have 
to be running all the time. You can run it 
once a day to trigger the jobs that pull data 
from the Service Manager database into 
the data warehouse and when you want to 
run reports. When data is pulled into the 
data warehouse, it isn't deleted from the 
Service Manager database because that 
data is needed for other Service Manager 
operations. Grooming processes run peri¬ 
odically on the Service Manager database, 
deleting data based on the status of the 
work items and the date and time of the 
last modification. 

You can find detailed instructions 
for installing Service Manager in the 
System Center Service Manager 2010 SPl 
Deployment Guide (technet.microsoft 
.com/en-us/library/ff460909.aspx). There 
are a few gotchas in the installation of 
Service Manager, which 1 cover in these 
FAQs: 

• “Q: I'm preparing to install System 
Center Service Manager (SCSM) 2010. 
Any tips?" (www.windowsitpro.com, 
InstantDoc ID 129511) 

• “Q: What's the correct order to update 
my System Center Service Manager 
(SCSM) 2010 installation to SPl (or any 
other service pack)?" (InstantDoc ID 
129512) 

• “Q: 1 installed the System Center 
Service Manager (SCSM) Self-Service 
Portal onto my SCSM management 
server. 1 get an error and see that the 
SM_AppPool has errors and been 
disabled. What's wrong?" (InstantDoc 
ID 129564) 

Using Service Manager 

There are three main types of Service 
Manager users: 

• Service Manager architects and 
administrators. They design and 
implement the Service Manager 
installation, customize workflows and 
forms, and manage Service Manager's 
integration with other systems in the IT 
infrastructure. 

• Analysts. They use Service Manager 
to manage and work on incidents and 


change requests. They often work in 
the IT department or man Help desks. 
Sometimes they're managers or HR 
staff members who need to authorize 
certain types of actions. 

• End users. They use Service Manager 
to request software, change their 
passwords, search the knowledge base 
(i.e., a collection of articles that can 
aid in the resolution of incidents and 
problems), log new incidents, look at 
announcements, and perform other 
actions. 

Coincidentally, Service Manager provides 
three Uls out of the box: 

• Service Manager console. Like the 
consoles for the other System Center 
products, the Service Manager console 
is built on the common Service 
Manager U1 framework and not the 

Service Manager's 
power comes from 
its configuration 
management 
database and its 
integration with 
other IT systems. 

Microsoft Management Console 
(MMC). The big advantages with 
the Service Manager U1 framework 
are its flexibility and its ability to 
only show items that a user has 
permission to access, which gives a 
much cleaner interface to users who 
have been granted specific rights to 
specific groups of objects. The Service 
Manager console is primarily used by 
administrators, analysts, and people 
who run reports. 

• llS-based self-service portal. This self- 
service portal provides two separate 
websites. The first website is for end 
users. On this website, end users can 
search the knowledge base, check 
the status of change requests, raise 
new incidents, and more. The second 
website is for analysts. On it, analysts 
can approve change requests, view 


^Learning Path 

I Other articles about System Center: 

H "The 4 Pillars of System Center Configuration 
I Manager" InstantDoc ID 95959 

H "Operations Manager Dashboards," 

I InstantDoc ID 129233 

H "System Center Operations Manager 2007 
I Add-ons,"lnstantDoc ID 101301 

H "Top Ten: New Features in Virtual Machine 
I Manager 2012," InstantDoc ID 136125 

I Q&As about System Center: 

H "Q: How can I track CAL usage of Microsoft products in 
H my environment?" InstantDoc ID 130073 

H "Q. How can I enable the firewall exceptions for 
H deploying the System Center Configuration 

H Manager (SCCM) 2007 client using Group Policy?" 
I InstantDoc ID 129697 

H "Q. I didn't back up the System Center Service Manager 
H (SCSM) encryption key during my installation and 
H now I want to perform the backup. How do I do 

I it?"lnstantDoc ID 129684 

H "Q. What OSs are supported as System Center Configu- 
H ration Manager (SCCM) 2007 Branch Distribution 

I Points (BDPs)?" InstantDoc ID 129223 

H "Q. Is there a way to document my System Center 
H Configuration Manager 2007 (SCCM) configura- 

H tion automatically in a human-readable form?" 

I InstantDoc ID 103262 

work items assigned to them, and 
more. 

• SharePoint-based self-service 
portal. This portal provides the 
same functionality as the llS-based 
self-service portal. However, it uses 
SharePoint Web Parts, which enable 
the Service Manager web interface to 
integrate with the existing SharePoint 
infrastructure. 

Other interfaces are available, but 
they're primarily used for custom forms 
and workflows. You can create custom 
forms, workflows, and other components 
with the Service Manager Authoring Tool. 
To use this tool, you don't need a huge 
amount of training because it uses drag- 
and-drop functionality. You can down¬ 
load the Authoring Tool at tinyurl.com/ 
SCSMAuthoringTool. For more information 
about customizing Service Manager, see the 
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tasks before you begin using Service Manag< 


% Set Up Notifications 

Configure Service Manager notification options to 
enable communication by e-mail. 

4 Co nfig u re notification ch anrvels 


Create e-mail templates 


Import User Accounts 


+ Import user accounts with the Active Director 

Create and assign user roles 


ij* Create Connectors 

Create irKidents from Configuration Manager 
DCM problems and Operations Manager 2007 
alerts. 

Create a Configuration Manager connector 

4 Create an Operations Manager connector 
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Figure 2: The Service Manager console 

System Center Service Manager 2010 SPl 
Authoring Guide (technet.microsoft.com/ 
en-us/library/ff597545.aspx). 

The Service Manager Console Up Close 

The easiest way to get a feel for the use and 
capability of Service Manager is to look at 
the Service Manager console. As Figure 2 
shows, there are six workspaces in the con¬ 
sole, which reflect Service Manager's six 
main functionality areas: Administration, 
Library, Work Items, Configuration Items, 
Data Warehouse, and Reporting. Before 
I highlight the key points in each work¬ 
space, I want to point out that in Figure 2 
Tm logged on as a full administrator so all 
the workspaces and options are displayed. 
If I were running the console as an end 
user, I would only see the workspaces and 
options I have permission to access. Role- 
based access control is a big feature of 
Service Manager and the rest of the System 
Center products. 

Administration. The Administration 
workspace will be the starting point for any 
new Service Manager deployment. In it, you 
can conflgure Service Manager's integration 
with other systems, such as AD, SCCM, and 
Operations Manager. You'll definitely want 
to connect Service Manager to AD, as this 
will allow you to import your user, group, 
printer, and computer objects, along with 
any attributes you've set for them. 


Note that the connector to AD is one¬ 
way. Thus, if you modify the attributes of 
configuration items (aka objects) in Service 
Manager, you also need to change the attri¬ 
butes in AD. Otherwise, the next time AD 
synchronizes with Service Manager, AD 
will overwrite the changes you made. You 
can have Service Manager synchronize 
with the entire AD namespace or a subset 
of it (in which case, you specify the types of 
objects that should be synchronized). 

Besides configuring integration, 
you'll need to assign user roles to users 
in the Security area of the Administration 
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workspace. By default, there are 
11 roles: Activity Implementers, 
Administrators, Advanced 
Operators, Change Initiators, 
End Users, Read-Only 
Operators, Authors, Problem 
Analysts, Workflows, Incident 
Resolvers, and Change 
Managers. If these roles don't 
meet your organization's 
needs, you can create custom 
user roles. 

Another configuration 
you'll probably want to make 
is setting the retention times 
for the data in the Service 
Manager database. You do 
this in the Settings area of the 
Administration workspace. 
This is also where you con¬ 
figure incident settings. For 
example, you can attach a 
prefix to the incident IDs that 
will be generated, specify how the priority 
should be calculated for an incident, and 
set limits for files that users can affix to 
incidents they raise (e.g., allow only two 
attachments up to 512KB each). 

Making configurations isn't the only 
thing you can do in the Administration 
workspace. You can perform a variety of 
other tasks, such as creating announce¬ 
ments and importing management packs. 
The Announcement area is where you 
create announcements that will appear 
on the self-service portal. You have the 
option of setting an expiration date, so 
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Figure 4: The Incident Classification list in a form 


you don't have to worry about removing 
announcements once they're no longer 
valid. 

Management packs are .xml files that 
define forms, workflows, classes, views, 
and reports in Service Manager. When you 
create a new workflow, for example, you're 
creating a new management pack. To 
import that management pack into Service 
Manager, you use the import functionality 
in the Administration workspace. 

Library, The Library workspace 
exposes the various configuration data 
elements of the Service Manager system, 
which are used throughout the prod¬ 
uct. For example, all the options shown 
when creating an incident can be easily 
changed by modifying the relevant list 
item, which I'll elaborate on shortly. You 
can define groups of configuration items, 
much like you can create containers for 
objects in AD. 

The Library workspace's Knowledge 
area is where you can create and maintain 
the knowledge base. The knowledge base 
articles are the primary vehicle for sharing 
knowledge. When users access the self- 
service portal, a list of the top knowledge 
base articles is automatically generated 
and shown on the start page. 

Another key part of the Library work¬ 
space is the Lists area. When users create 
and modify work items, there are often 
drop-down lists they can use to select the 
type of problem they're having and what 
system it's affecting. If you want to change 
what options are displayed in the drop¬ 
down list, you go into the appropriate 


list and add or remove items, as Figure 3 
shows. Figure 4 shows this drop-down list 
in a form. 

Templates are another great feature 
in the Library workspace. Besides using 
the self-service portal, users can submit 
incidents and changes by email or phone. 
Rather than have the analyst waste time 
repeatedly typing in the same informa¬ 
tion and settings, they can quickly apply 
a template that populates most of the 
common fields for various types of com¬ 
mon requests. Templates can also be auto¬ 
matically applied by workflows to route 
and classify work items based on certain 
conditions. 

Work items. Analysts often use the 
Work Items workspace, as it contains the 
incident, problem, change, and activity 
items they work on. In each workspace area 
(e.g.. Change Management area. Incident 


Management area), there are a number of 
default views. For example. Figure 5 shows 
the default views for Incident Management 
(e.g.. All Incidents, All Open Incidents, All 
Open Portal Incidents). On the right, note 
the tasks pane. Each view includes the 
tasks that are available for that type of 
work item. In this case, there are many 
available tasks for incidents. For example, 
analysts can change an incident's status, 
create a change request based on an 
incident, escalate an incident, and even 
perform certain tasks to help resolve an 
incident, such as perform a ping. Any task 
performed is automatically logged in the 
incident's history, giving a full account 
of the actions taken and progress made. 
By default, end users can see the history 
for the incidents they create. However, 
analysts have the option to mark certain 
items in the history (e.g., comments) as 
private so they won't be visible to end 
users. Analysts also have the ability to cre¬ 
ate custom views. 

Configuration items. The Config¬ 
uration Items workspace gives you access 
to the computers, printers, users, soft¬ 
ware, software updates, business ser¬ 
vices, and any other type of defined 
or imported configuration item within 
your organization. In most environments, 
there isn't a lot of manual management of 
configuration items in Service Manager. 
Instead, the configuration items are man¬ 
aged through their respective connected 
systems (e.g., AD, SCCM, Operations 
Manager). 

The Configuration Items workspace 
doesn't provide a "dumb" view of the 



Figure 5: The Incident Management default views 
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Figure 6: Service Manager reporting on the SSRS instance 



Figure 7: IIS-based self-service portal 

configuration items replicated from dif¬ 
ferent sources. Because the configuration 
items from the connected systems are 
consolidated in CMDB, relationships are 
ascertained. So, when you examine a con¬ 
figuration item in the workspace, youll 
see AD, SCCM, and Operations Manager 
information about that item as a single 
entity, which helps with analyses. For 
example, if you're examining a software 
package, you'll see any related change 
requests or incidents that involved that 
piece of software. 

Data warehouse. In the Data 
Warehouse workspace, you perform the 
tasks that relate to populating, managing, 
and securing the data warehouse manage¬ 
ment server. 

Reporting, The Reporting workspace 
exposes all the available reports, which 
actually run on the SSRS instance. You can 
also run the reports directly on the SSRS 
instance, as Figure 6 shows. You can create 


your own custom reports and display them 
in the Reporting workspace by following 
the instructions in the SCSM Engineering 
Team blog "How to create a custom report 
and display it in the console" (tinyurl.com/ 
SCSMCustomReport). 

The Self-Service Portal Up Close 

End users and analysts interact with Service 
Manager through the self-service portal. 
On the end user website, end users can eas¬ 
ily raise an incident, request new software, 
and request other types of changes. Once 
submitted, they can use the portal to easily 
see the state of all their open and resolved 
incidents and requests. The ability for end 
users to self-resolve problems by searching 
for known issues in the knowledge base can 
cut down on the number of incidents the 
users actually raise, reducing the overhead 
for the Help desk team. 

On the analyst website, analysts can 
view and manage the incidents and change 


requests assigned to them. This site could 
also be used by managers who need to 
approve a change for an employee or sign- 
off on a document. 

Eigure 7 shows the llS-based por¬ 
tal out of the box, with no changes 
made to it. The source code for the self- 
service portal is available, so you can 
customize the look, feel, and function¬ 
ality of it. Eor more information on the 
customizations possible, see "Service 
Manager Portal Source Code Released!" 
(blogs.technet.eom/b/servicemanager/ 
archive/2011/03/02/service-manager- 
portal-source-code-released.aspx). 

As 1 previously mentioned, if you use 
SharePoint, you don't need to use the 
llS-hosted portal. Instead, you can use the 
SharePoint-based portal. You can even 
place Service Manager Web Parts on users' 
My Sites to give them easy access to Service 
Manager information. 

More Than Just a Ticketing System 

It's important not to think of Service 
Manager as a ticketing system. Yes, it has 
great ticket-management features, but its 
true power lies in its integration with the 
rest of the IT infrastructure and in the 
CMDB, which enables workflows to get sep¬ 
arate systems working together. Although 
Service Manager is in its first released ver¬ 
sion, it already has a rich partner network, 
including a key partnership with Provance, 
which adds asset-management capabilities 
to Service Manager. 

I've spoken to a number of Service 
Manager adopters and the common mes¬ 
sage from all of them is just how quickly 
they were able to achieve great results. 
The SCSM Engineering Team Blog (blogs 
.technet.eom/b/servicemanager) has been 
instrumental in a number of successful 
Service Manager rollouts and has a lot of 
great content about implementing Service 
Manager. ^ 

InstantDoc ID 136007 
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It can save 
you time and 
aggravation 

by Alex 
K.Angelopoulos 


Windows IT Pro 


T he Windows PowerShell Integrated Scripting Environment (ISE) is a combined shell, 
debugger, and script editor that comes with PowerShell. Considering its capabilities, it's 
significantly underused. After I talk about the reasons why the PowerShell ISE is under¬ 
used, I'll explore how to take advantage of it. 

Before getting started, however, let me mention the two things you can't do with the 
PowerShell ISE: 

• You can't run or even install the PowerShell ISE on Windows Server 2008 Server Core because 
the ISE depends on graphical APIs that aren't available. 

• You can't run interactive console applications within the ISE because it doesn't have console 
APIs. You can still use console applications non-interactively or start an external instance of one. 


Why the PowerShell ISE Is Underused 

A common reason the PowerShell ISE is underused is lack of knowledge about its capabilities. When I say 
the ISE is underused, I don't just mean people using the PowerShell console application instead of the ISE. 
I also mean people using the PowerShell ISE who don't taken advantage of its labor-saving features. 

A second reason for the underuse is that on Server 2008, only the console version of PowerShell is 
installed by default. The PowerShell ISE isn't installed because it uses the Microsoft .NET Framework 
3.5.1, which isn't installed. If installing the .NET Framework 3.5.1 isn't a problem, you can install the 
PowerShell ISE without rebooting. Here's how: From the server console, open Server Manager, go to 
Features, then choose Add Feature. Select Windows PowerShell Integrated Scripting Environment 
from the feature list, and click Install. Windows prompts you for confirmation that you also want to 
install the .NET Framework 3.5.1. Click Yes, then proceed with the installation. 

Alternatively, from a console PowerShell prompt, you can run the following two commands: 


Import-Module ServerManager 
Add-WindowsFeature PowerShel1-ISE 

GUI Conveniences in a Shell 

An immediate benefit of using the PowerShell ISE is its general features as a shell. You get access to 
many of the same keyboard accelerators and other conveniences that are standard across graphical 
applications. So, Ctrl+A selects everything in a pane, Ctrl+C copies, Ctrl+X cuts, and Ctrl+V pastes. 
Although not earth shattering, this feature repeatedly saves you little bits of time and effort. The com¬ 
plete list of keyboard shortcuts for the PowerShell ISE is available at tinyurl.com/3odjda4. 

The accessibility of this graphical application is even more significant. Although the benefits are easy 
to overlook when you're used to working with graphical applications, the PowerShell ISE provides: 

• Visibility. You can see many possible processing actions on the toolbar. 

• Hints. The pictures on icons and the labels on menus and menu items suggest uses. 
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THETOP10 

Technical Tips for Virtualizing Tier 
1 Business-Critical Applications 


Critical Tier 1 applications in today's highly competitive business environments need two essential attributes to 
survive: agility and resilience. Agility gives you the ability to scale-up, or scale-down, performance capabilities 
for essential applications—such as Oracle, Exchange, SAP, SQL, and custom Java apps—in response to changing 
business conditions. Resilience lets you keep these critical applications online even when component failures 
occur, ranging from small single-device outages to major data center catastrophes. Virtualization is the technol¬ 
ogy enabler for both of these attributes. In fact, the consensus of IT experts is that you simply can't achieve both 
without virtualization. Getting your arms around the process for achieving agility and resilience can be daunting. 
This list of Top Ten tips for Tier 1 virtualization is a handy guide to see you through the course. 


O 

O 

o 



Start your virtualization journey with a few small projects, both to gain operational experience 
that will make your future projects more successful, and to give you a better sense of product features 
that work well for your organization. A key step to choosing that initial project is assessing your existing 
server infrastructure to find self-contained applications that are less critical, and thus will suffer a lower 
impact from the learning process. Fortunately, virtualization platform vendors such as VMware offer a 
wealth of easy-to-use self-assessment tools that largely automate this process, so asking your platform 
vendor to demonstrate their assessment offerings is an excellent first step. 

Virtualization introduces additional management complexity that ultimately yields 
many rewards, such as the ability to move workloads between servers, and to detect and respond 
to impending failures before they cause application outages. It's far easier to exploit management 
advantages if you begin with a solid management infrastructure. You'll invest some time up front 
learning howto use tools such as VMware vSphere, but this investment will pay off when you virtualize 
demanding applications such as Oracle databases or Microsoft Exchange. You'll also save money by 
avoiding unnecessary and expensive over-provisioning—a common slip for first-time virtualizers. 

The ability to move applications from one physical server to another—virtual machine (VM) 
mobility—is an extremely powerful way to make applications instantly more mobile while giving 
you new disaster recovery (DR) and business continuity (BC) options. A prerequisite for VM mobility 
is a Storage Area Network (SAN), which relocates application code and data from server-internal hard 
disks to a centralized array of disks, giving you economies of scale, improved disk space utilization, and 
the ability to quickly add storage capacity without disrupting applications. These advantages are too 
important to lose, so don't deploy even one application in production without having a SAN in place. 
Fortunately, SAN appliances are both easy to set up and very cost effective compared to internal server 
storage, so there is no reason to not start with one. 

Reaping virtualization's DR and BC advantages requires different thinking than 
traditional application deployment: thinking in twos. Recovering from failures means having redundant 
resources, so include pairwise-design in your virtualization planning. You can do this even with a small 
virtualization project, by deploying two smaller rather than one large physical server, doubling up on 
disk capacity using two enclosures, installing dual Ethernet interfaces connected to pairs of switches, 
themselves having double interconnects, etc. At the application level, consider cluster techniques where 
resources such as the database and web server are paired with virtual companions in self-contained 
clusters that can operate—and fail over—together. Facilities such as Oracle's VM Storage Connect and 
Real Application Cluster (RAC) let you replicate data between clusters, giving you zero-downtime failover. 
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Every enterprise has a fiduciary responsibility to ensure the privacy of its data and applica¬ 
tions. Virtualization gives you new opportunities for locking down your application infrastructure, using ser¬ 
vices such asVMwarevShield, which goes beyond physical security to automate policy enforcement using 
application-aware introspection. Virtualization also enables a slew of advanced storage encryption capabili¬ 
ties to further bullet-proof application security. OraclesTransparent Data Encryption (TDE) lets you protect 
sensitive data—a critical compliance requirement—via ultra-fast hardware encryption, without modifying 
your applications. VM mobility, such asVMware vMotion, lets you move applications to physical servers that 
have additional hardware encryption capacity when workload increases need extra performance. 

There was a time when virtualization could not be used for certain resource-intensive applica¬ 
tions, such as databases like Oracle and SQL Server, and high-transaction-rate applications like Exchange 
Server. But virtualization technology has advanced to the point where the performance objection is now 
moot. The "hypervisor tax," the CPU and memory overhead incurred by virtualization services, is now just 
a few percent. Multicore CPUs—six cores are now common—and massive memory architectures mea¬ 
sured in terabytes, ensure that hardware capacity is never a limiting factor. Avoiding resource bottlenecks, 
however, requires close resource monitoring. Eortunately, sophisticated management toolsets, such as 
vSphere, not only provide that monitoring but can automate application performance scaling to ensure 
users don't encounter the slowdowns common with traditional application hosting models. 

Another common objection used in the past to dismiss virtualization is the perception 
of reduced reliability. It's true that a single physical host hosting multiple VMs naturally concentrates 
risk, in that failure of that host could disable all the applications it is running. But the technologies for 
reliable operation in the face of such failure—VM mobility, SAN replication and mirroring, application 
clusters—are well understood and very mature. You need only select the ones appropriate for your 
environment to not only meet traditional reliability metrics, but exceed them. With appropriate design, 
you can obtain DR and BC capabilities practically for free in the bargain. 

Security concerns, particularly where compliance requirements such as PCI DSS or EIIPAA 
exist, are often cited as a showstopper for virtualization. But the reality is that a virtualized environment 
can be more secure than the physical server network it encompasses, if you take advantage of security- 
oriented hypervisor and virtual network capabilities. Eor instance, a physical server might reside on a 
common network with multiple unrelated servers, creating security vulnerabilities should one of the 
neighbor servers be compromised. VMs can be isolated from each other using Virtual Ethernet to create 
private VLAN subnets for each server. One virtualization attribute that can affect overall security is thick 
vs. thin hypervisor implementation. A "thick" hypervisor is built on a large, general-purpose operating 
system, which tends to be more susceptible to vulnerabilities than a small, purpose-built"thin" hypervi¬ 
sor running on "bare metal" hardware. The thin approach also enables strong isolation between VMs 
and the outside world, greatly reducing the risk of malicious activity reaching VM interfaces. 

Moving existing servers into a virtualized environment requires preplanning and specialized 
tools, such as VMware vCenter Converter. Such tools let you efficiently manage the server move process, 
called Physical-to-Virtual (P2V) migration, reducing downtime and making possible multiple concurrent 
migrations. Eor the servers you select to migrate as a result of your self-assessment process (see tip 1 
above), you must size the target VM—memory, disk, and CPU capacity—and audit each physical host's 
hardware configuration to verify compatibility. Eor example, a physical host with a hardware fax card will 
require transitioning to a TCP/IP-based fax service. Note that VM resource capacities will often be far less 
than the original host contained. That's because many physical hosts operate at just a few percent of 
their maximum capability—they were overbuilt to accommodate workload surges. Virtualization lets you 
get back those wasted resources, using dynamic workload management to add more memory and CPU 
capacity when needed, and SAN management to expand disk capacity to accommodate growth. 

Once you've conducted self-assessment, created a comprehensive management framework, 
implemented SAN facilities, and embarked on one or two pilot projects, you'll be well positioned for 
migrating the rest of your data center to a virtualized infrastructure. You should proceed in a stepwise 
fashion with this migration, moving one application set at a time, to avoid unexpected problems and 
minimize production system disruptions. At each step in the process, verify that all essential legacy 
system interconnections still function as expected. It's also a good idea to capture key performance 
metrics, such as interactive response time and batch job run times, before and after the P2V process, to 
detect any resource contention issues, which you should resolve before proceeding to the next step. 
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Figure 1: Setting up an interactive PowerShell session on a remote machine 


• Proximity. Activating items takes only a 
few milliseconds. 

Another graphical element 1 find use¬ 
ful is the ability to have several sessions 
and scripts open at the same time in 
one instance. You can run up to eight 
PowerShell sessions at a time in the same 
window and a large number of scripts. 
(How large 1 can't say; iVe had up to 300 
short scripts open for editing at one time.) 

At first glance, it might seem that a GUI 
focus is in conflict with PowerShell's philoso¬ 
phy. However, there's no conflict. PowerShell's 
tie to the console window isn't APIs but rather 
the concept of pipeline-based work process¬ 
ing. Making use of any tool that simplifies 
work is the real PowerShell philosophy. 

Easy Remote Sessions 

One of PowerShell 2.0's features is session 
remoting. The PowerShell ISE walks you 
through setting up an interactive PowerShell 
session on a remote machine. To begin, 
select New Remote PowerShell Tab from the 
File menu (or press Ctrl+Shift+R). You'll get 
the prompt shown in Figure 1. After you enter 
the information and click Connect, you'll get 
the standard credentials dialog box. 

Alternatively, you can use the Enter- 
PSSession command to set up an interactive 
PowerShell session on a remote machine. 
However, I find that setting it up through 
the File menu saves a bit of time and a lot 
of annoyance, making the New Remote 
PowerShell Tab option one of my favorites. 

Lightweight Advanced Editing 

I Still prefer to use the two text editors I know 
well (SAPIEN Technologies' PrimalScript 
and Helios Software Solutions' TextPad), 
but if you don't have a favorite editor, the 
PowerShell ISE beats Notepad hands down, 
even for editing files that aren't scripts. 


For PowerShell scripts and modules, the 
ISE supports tab-completion of command 
and variable names and provides syntax 
coloring for various kinds of tokens (e.g., 
commands, parameter names, keywords). 
You can also open any text file in it, which I 
find useful at client sites since the ISE sup¬ 
ports using regular expressions in search 
and replace operations, as Figure 2 shows. 
The Match case and Whole word options 
work with or without regular expressions. 

Easy Debugging 

The PowerShell ISE definitely makes debug¬ 
ging easier. Here's how to debug a script in 
the ISE: Open the script you want to debug 
in the PowerShell ISE. You have to save a 
script before you can debug it. Debugging 


operations are disabled in a new, unsaved 
.psl script in the PowerShell ISE. 

Next, go to the line where you would 
like the execution to pause and select 
Toggle Breakpoint from the Debug menu 
(or press the F9 key). When setting break¬ 
points, keep the following in mind: 

• You can't set a breakpoint on an empty 
line. The PowerShell script interpreter 
ignores empty lines, so such a breakpoint 
would never be encountered anyway. 

• You can set breakpoints on a comment 
line. However, if there are no actual lines 
of code following a comment line with 

a breakpoint, the breakpoint will never 
be encountered in the script because 
PowerShell execution terminates at the 
last executable line of code. In this case, 
the PowerShell ISE will display a warning 
message that reads something like 
WARNING: Breakpoints will not he hit. 

After setting the breakpoints, choose 
Run/Continue on the Debug menu (or 
press the F5 key). The ISE will run the script 
to the first breakpoint you set, then halt. You 
can then view the current values of vari¬ 
ables by hovering your mouse over them 
in the script editor. You can also display the 
call stack (i.e., the list of script blocks that 
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Figure 2: Using regular expressions in search and replace operations 




Listing 1: Code That Uses the $pslSE Variable to Access the PowerShell ISE 


a)# Using $psISE to set up an add-on menu. 

# Call the SAddons menu to save typing. 

$Addons = SpsISE.CurrentPowerShellTab.AddOnsMenu.SubMenus 

# Clear it. 

SAddons.ClearO 

# Add a display name, script block, and keyboard shortcut. 
$Addons.AddC'Ping Google",{ping www.google.com},"Alt+P") 
$Addons.Add("Traceroute", 

{tracert $(Read-Host "Traceroute target:")},"Alt+T") 




B)# Using $psISE to save the current session output to a file. 
$psISE.CurrentPowerShel1Tab.Output.Text | 
set-content c:\tmp\out.txt 


(CV Using $psISE to modify the display font. 

I # Can use in Microsoft.PowerShellISE_profile.psl 
SpsISE.Options.FontName = "Consolas" 
$psISE.Options.FontSize = 12 
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the code has entered) by selecting Display 
Call Stack from the Debug menu. To con¬ 
tinue the script's execution, choose Run/ 
Continue on the Debug menu (or press F5) 
again. You can manually stop the debug¬ 
ger at any time by selecting Stop from the 
Debug menu (or by pressing Shift+F5). 

You can also use the debugger with 
scripts that have mandatory command-line 
parameters. After setting breakpoints in the 
script, simply enter the script's name and 
its required parameters at the PowerShell 
prompt instead of using the Debug menu 
or pressing F5 to start debugging. The script 
will automatically run in the debugger. To 
see the debugger in action, check out the 
article “Editing and Debugging Scripts 
with PowerShell 2.0's Integrated Scripting 
Environment" (InstantDoc ID 104713). 

Extensibility 

The PowerShell ISE has another useful fea¬ 
ture of particular interest to advanced users: 
You can access the ISE as a PowerShell 
object through the $pslSE variable, then 
extend or customize the ISE. 

Listing 1 provides several examples of 
how you might use the $pslSE variable. The 
code in callout A uses it to extend the Add¬ 
ons menu. This menu isn't visible until you 
add a customization. In this case, a display 
name, script block, and keyboard shortcut 
are being added. 

You can use the $pslSE variable to save 
all the output from the PowerShell tab 
you're on, as the code in callout B shows. 
You can also use the variable to set the ISE's 
default font size and family, as the code in 
callout C shows. This is an example of a 
customization that some people might like 
putting in a PowerShell profile script. 

You can download the code in Listing 1 
by going to www.windowsitpro.com, enter¬ 
ing 136036 in the InstantDoc ID text box, 
then clicking the 136036.zip hotlink. If 
you'd like more information on how to 
customize and extend the PowerShell ISE, 
see the “Windows PowerShell Integrated 
Scripting Environment (ISE) Help" topic in 
the graphical Help file that comes with the 
ISE. It covers the entire object model for the 
PowerShell ISE at length. 

A Matter of Preference 

Like most other small tools, using 
PowerShell ISE is generally a matter of 


preference. With that said, if you don't 
already use a modern text editor, 1 recom¬ 
mend that you try the PowerShell ISE. 
Its syntax highlighting and tab comple¬ 
tion can reduce effort and errors signifi¬ 
cantly. Plus, its support for using regular 
expressions in search and replace opera¬ 
tions is invaluable if you occasionally 
need to perform complex search and 


replace operations on large text files— 
PowerShell scripts or not. ^ 

InstantDoc ID 136036 

Alex K. Angelopoulos 

(aka(S)mvps.org) is an IT consultant, 
an MCSE, and a contributing editor 
for Windows IT Pro. As an avid scripter, 
he regularly writes about administra¬ 
tive automation using WSH, Power- 
Shell, and related technologies. 
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Keep your 
cluster healthy 


I n any VMware vSphere environment; the job of load balancing falls to vSphere's Distributed 
Resource Scheduler (DRS) functionality. DRS clusters ESX and ESXi hosts together, with the 
goal of finding the best balance of virtual machines (VMs) across hosts. DRS is a fantastically 
useful solution, particularly in infrastructures with large numbers of virtual hosts. Without its 
automation, the constant job of monitoring and correctly placing VMs onto hosts falls to human 
eyes—and no human alive can accomplish the job as skillfully as a mathematical equation by Greg Shields 
combined with a set of good monitors. 

Although DRS at first blush feels exceptionally simple, you'll be surprised at how many calcula¬ 
tions really go on under its demure veneer. Its interface might look simplistic, but being successful 
with DRS requires significant effort along with a healthy dose of restraint. The effort lies in setting it 
up properly—make a few poor settings, and you'll hinder it from doing its job. The restraint lies in 
not inadvertently constraining its activities—constrain too far, and you might not be load balancing 
at all. 

It's important that you take a very close look at your DRS settings, as well as a few other settings 
that can cause problems. In some cases, good-faith attempts to control a cluster can in fact do more 
harm than good. To avoid making such a mistake, check out the following tips for successfully man¬ 
aging DRS. 


Tip #1: Don't Think You're Smarter than DRS 

1 once bet against a fellow consultant, siding with DRS's capabilities over his. This person believed that 
his manual load-balancing skills were far superior to DRS's calculations. According to this administra¬ 
tor, his reason for keeping DRS's automation level at manual was that he had checked all the counters 
and placed his VMs where they should be. He didn't think DRS could improve on what he had already 
done—plus, he didn't trust DRS's automation. 

With a free lunch on the line, 1 convinced my coworker to switch his cluster's automation level from 
manual to fully automated and set its migration threshold to apply priority 1, priority 2, and priority 
3 recommendations, as Eigure 1 shows. This setting, which can be found in the VMware DRS node of 
the cluster's properties screen, is midway between conservative and aggressive. 

We stepped away for a few hours and came back to discover nearly every VM now located on a 
different host. My coworker bought lunch that day. 

DRS's three automation levels determine how much control DRS's services have over relocating 
VMs. The manual mode does nothing but advise. The partially automated mode acts only when VMs 
are initially powered on. These two options make suggestions and wait for you to act. Only the fully 
automated mode enables the cluster to automatically relocate VMs based on monitoring calculations. 
VMware and most experts suggest that DRS's fully automated mode is the best selection for almost 
every cluster. 
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Figure 1: Fully automated DRS migration threshold 


The biggest benefit of the fully auto¬ 
mated mode is that the cluster is rebal¬ 
anced quickly. Allowing DRS to perform 
actions on your behalf can help resolve 
performance problems before they affect 
users. 

Tip #2: Know DRS's Rebalancing 
Equations 

The first tip's suggestion doesn't mean 
you should trust DRS without verifying its 
activities. Enabling the fully automated 
mode allows DRS's cluster-wide math¬ 
ematical model for determining cluster 
balance. This model isn't difficult to under¬ 
stand, and knowing it will help you deter¬ 
mine the best migration threshold setting. 
Depending on your needs, this setting 
might end up a touch closer to conservative 
or perhaps more toward aggressive. 

A short primer is in order. First, be 
aware that a DRS interval is invoked every 
5 minutes. During that pass, DRS analyzes 
resource utilization counters across every 
host in the cluster. It then plugs this data 
into a calculation to determine whether 
or not resource use across the cluster is 
balanced. 

The concept of cluster balance can be 
difficult to grasp, so a mental picture helps. 
Imagine a multisided table with only one 
leg mounted in its center. Each side of this 
table represents one of the hosts in your 
cluster. The center leg can hold the table 
up only when the weight on all sides is 
balanced. 

Now imagine what happens when pro¬ 
cessor and memory utilization on one 


host becomes comparatively greater than 
on others. Unbalanced, the table starts to 
tip. To fix that problem and rebalance the 
table, DRS must migrate one or more VMs 
to a new host. 

Before determining which VM to move, 
DRS must first determine whether or not 
the cluster is indeed balanced. That cal¬ 
culation starts by determining the load on 
each host, summing the assigned entitle¬ 
ments for each VM on that host, and 
then dividing the resulting value by total 
host capacity. The equation looks like the 
following: 

S(w Entitlements) 

Host Capacity 

In this calculation, VM Entitlements encom¬ 
passes any CPU or memory reservations or 
limits you've set on VMs. Also factored in 
are CPU resource demand and memory 
working set size, which are both dynamic 
measurements. You can determine Host 
Capacity by adding up total CPU and mem¬ 
ory resources on the host and subtracting 


the VMkernel overhead. Service Console 
overhead, and a 6 percent extra reserva¬ 
tion. A cluster with HA and Admission 
Control enabled may also subtract an addi¬ 
tional reservation that's required to meet its 
high-availability goals. 

After these steps are completed, it's 
useful to know a bit of statistics for the next 
step. With the load of every host now calcu¬ 
lated, it becomes possible to determine the 
mathematical standard deviation across 
all the loads. If you never took a statistics 
class, think of the standard deviation as a 
measurement of how far away the cluster's 
individual loads are from the average load 
(and thus how far away the cluster is from 
being balanced). A greater standard devia¬ 
tion signifies a greater imbalance. 

DRS calculates these numbers for you. 
Figure 2 shows a screenshot from the 
Summary tab of an example cluster. In 
this cluster, the target host load standard 
deviation is set at less than or equal to 0.2. 
This value represents the greatest amount 
of imbalance the cluster will accept before 
doing something. You can also see that this 
cluster is experiencing a current host load 
standard deviation of only 0.074—which is 
less than 0.2, so this cluster is balanced. No 
VMs need to be relocated. 

This example represents how things 
look when a DRS pass finds everything to 
be well-balanced. But what happens when 
the resource utilization of one or more VMs 
spikes? When this happens, the cluster 
might exceed its target host load standard 
deviation, and our proverbial table begins 
to lean. Fixing the problem requires mov¬ 
ing VMs around to rebalance the load. 

DRS's next task is to determine which 
VMs have the largest effect toward fixing 
the problem. During this period, DRS sim¬ 
ulates a series of VM migrations between 
hosts to identify and prioritize each option. 


VMwa re DRS 


Migration Automation Level: 

Manual 

Power Management Automation Level: 

Off 

DRS Recommendations: 

0 
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0 

Migration Threshold: 

Apply priority Ij priority 2j and 
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Target host load standard deviation: 

<=0.2 
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Figure 2: Target and current host load standard deviation 
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The best options are those with the greatest 
effect on rebalancing the cluster, with the 
least risk of causing future imbalance. 

The priority level of any potential move 
is calculated using the following equation: 


Current Host Load Standard Deviation 


* V# Hosts in Cluster 


The brackets in this equation represent 
the mathematical ceiling operator, which 
rounds up its contents to the next integer 
number. Thus, a potential move in a four- 
host cluster that reduces the current host 
load standard deviation to 0.14 would 
have a resulting priority of 3. As you can 
surmise from the equation, each possible 
move can be assigned a priority from 1 to 
5, with lower numbers signifying higher 
priorities and greater effects on fixing the 
imbalance. 

At this point, how you set your migra¬ 
tion threshold setting becomes important 
(see Figure 1). In our example, the migra¬ 
tion threshold was set to the middle option, 
which tells DRS to automatically apply any 
priority 1, 2, or 3 recommendations but 
ignore everything else. Suggested moves 
with a smaller effect on rebalancing the 
cluster—in this case, those with priorities 4 
or 5—are ignored. 

The potential move in the previous 
equation has a priority of 3. This value is 
within the configured migration threshold, 
so DRS will migrate the VM to its new 
host. This process of determining possible 
moves, calculating their effect, and choos¬ 
ing whether to invoke the vMotion migra¬ 
tion continues until the current host load 
standard deviation drops below the target 
host load standard deviation. 

Be aware that priority 1 recommenda¬ 
tions always represent special cases. These 
are mandatory migrations that must occur 
to resolve a major problem. Example prob¬ 
lems include a host entering maintenance 
mode or standby mode, an affinity or anti- 
affinity rule being violated, or the summa¬ 
tion of VM reservations on a host exceeding 
the host's capacity. 

Although you obviously want a well- 
balanced cluster, trying too hard for the 
perfect balance can actually be detrimen¬ 
tal. Selecting too aggressive a threshold has 


disadvantages, because every rebalancing 
requires one or more vMotion migrations, 
with every vMotion migration consuming 
resources. Thus, your goal should be to find 
the middle ground of not necessarily com¬ 
pletely balanced, but balanced enough. 

Tip #3: Be Conservative with 
Constraints 

vSphere is loaded—perhaps overloaded— 
with locations to set resource constraints. 
You can set rules to always locate a set of 
VMs on the same host or rules to always 
ensure they're on different hosts. With 
vSphere 4.1 you can set Virtual Machines 
to Hosts rules, which define groups of VMs 
that must, must not, should, or should not 
run on groups of hosts. 

These rules let you apply business logic 
to DRS's rebalancing equations. Some 
obvious situations come to mind imme¬ 
diately—for example, a data center that 
relies on two virtualized Active Directory 
(AD) domain controllers (DCs) probably 
doesn't want those servers running on the 
same ESX host. Losing the ESX host means 
losing domain services. Setting a Separate 
Virtual Machines rule, which can be done 
from the Rule node in the cluster's proper¬ 
ties screen, as Figure 3 shows, enforces the 
separation no matter how unbalanced the 
cluster might get. In the same location, 
but for different reasons, a Keep Virtual 
Machines Together rule might be appropri¬ 
ate when a set of VMs rely on each other for 


data communication or because of security 
or compliance requirements. 

Resource allocation settings such as 
shares, reservations, or limits can also be 
set. These settings are applied to entire 
resource pools, or they can be discretely 
defined to individual VMs, as Figure 4 
shows. Reservations set aside a specific 
quantity of resources that a VM will always 
have if resource contention occurs. Limits 
prevent VMs from consuming too many 
resources, regardless of whether those 
resources are in contention. Shares specify 
a relative importance among VMs, ensuring 
that resources in contention are assigned to 
VMs whose workload is most important to 
the business. 

Although they're useful in certain cir¬ 
cumstances, all these nifty features mean 
more boxes to check and sliders to adjust. 
They also give the overeager administrator 
plenty of opportunities to create trouble in 
the name of resource optimization. 

The issue with these selections isn't their 
efficacy; they indeed prevent a poorly coded 
application from consuming too many host 
processor cycles or a high-priority VM from 
not getting enough resources when resources 
are tight. Problems do occur, however, when 
overeager administrators configure con¬ 
straints that aren't actually necessary. Just 
because the options exist doesn't necessarily 
mean you should use them. 

The reasoning behind this statement 
lies in how resource constraints affect 



Figure 3: Setting VM rules 
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Figure 4: CPU resource allocation for a VM 


DRS's operations. Recall that DRS's central 
mission is to load-balance a cluster. That 
load-balancing calculation starts by ana¬ 
lyzing every VM's resource entitlements, 
which include any statically set reservations 
or limits. Setting these reservations and 
limits in places where they aren't needed 
unnecessarily complicates DRS's rebalanc¬ 
ing equations (from Tip #2). Reservations 
and limits can reduce the total number of 
possible moves by eliminating those which 
would violate resource constraints. In addi¬ 
tion, reservations and limits might reduce 
the efficacy of possible remaining moves by 
forcing the cluster to balance itself based 
on resource constraints that aren't opera¬ 
tionally valid. 

Tip #4: Don't Use Too Many or Too 
Few Cluster Hosts 

DRS's delicate task of balancing VMs across 
hosts is a lot like assigning seats for a wed¬ 
ding reception. Each table can seat a cer¬ 
tain number of people, with larger tables 
seating larger numbers of people. You can 
squeeze in more people per table if you're 
running out of tables—but with plenty 
of tables to spare, there's more breathing 
room for everybody (and your wedding 
guests are much happier). 

However, determining the exactly cor¬ 
rect number of tables isn't the most obvi¬ 
ous of tasks. At one extreme, you could just 
rent two big tables and seat everyone. At 
another, you could rent a bunch of small 
tables, each of which only seats a few 
guests. 

A problem occurs when you have too 
few or too many tables (or, following the 
metaphor, ESX servers). Two large-enough 
tables might indeed seat everyone at the 
party. But what happens when Uncle Bob's 
extended family suddenly can't sit near 


anyone associated with your wife's cousin 
Jane? Rearranging the chairs with only 
two very full tables requires a lot of extra 
thinking. 

Rearranging VMs between too few ESX 
servers is no different when resource con¬ 
tention occurs. With not enough places to 
go, DRS requires more moves and more 
impact to find the right balance. A much 
better situation is to ensure that plenty of 
ESX servers are available. More ESX servers 
means more options for its load-balancing 
calculation to place VMs. 

You can go too far with simply add¬ 
ing hosts, because having too many hosts 
introduces a completely different problem. 
A DRS cluster in vSphere 4.1 can handle 
up to 32 hosts and 3,000 VMs. That said, a 
greater number of hosts and VMs means a 
greater number of simulations DRS must 
undertake to find those with the great¬ 
est impact. Because DRS passes happen 
on 5-minute intervals, those calculations 
need to happen quickly before the next 
pass begins. As a result, spreading hosts 
and VMs across multiple clusters might be 
a better idea. 

In their book VMware vSphere 4.1 HA 
and DRS Technical Deepdive (Create- 
Space, 2010), Duncan Epping and Erank 
Denneman believe the current sweet spot 
of hosts per cluster lies somewhere in the 
range of 16 to 24. This range, in their words, 
" [offers] sufficient options to load-balance 
the virtual machines across the hosts inside 
the cluster without introducing too many 
DRS threads in vCenter." 

Tip #5: Large VMs Limit Positioning 

Today's guidance for assigning resources to 
VMs suggests right-sizing processors and 
memory to exactly what the VM requires. 
Even though ESX can overcommit memory 


by using various technologies, these pro¬ 
cesses incur an unnecessary overhead that 
can be avoided by simply giving them what 
they need in the first place. The same holds 
true for processors—for most use cases, 
the rule of thumb is to assign only a single 
processor to each VM. 

However, sometimes the need still exists 
to create very large VMs with large quanti¬ 
ties of assigned memory and multiple 
processors. These VMs can be database 
servers or high-powered application serv¬ 
ers. Whatever their workload, these large 
VMs add pressure to DRS's calculations. 
As you can imagine, a big VM has a limited 
number of places to go when resources 
get tight. Some hosts in your cluster might 
not have the capacity to support a big VM. 
Others might not have enough physical 
resources to host it at all. Although your 
workloads necessarily drive the amount of 
resources assigned to each VM, you need 
to ensure that your cluster includes the 
capacity to evacuate a large VM elsewhere. 
Not doing so inhibits DRS from doing its 
load-balancing job. 

Not as Simple as It Looks 

VMware has done an excellent job of mask¬ 
ing DRS's underlying calculations beneath 
a simple interface. Unfortunately, that sim¬ 
ple interface belies the complex calcula¬ 
tions that are really required to successfully 
balance a cluster. Smart administrators 
will pay careful attention to the monitor¬ 
ing data exposed inside each cluster's 
properties and ensure that their clusters 
are carefully built to grant DRS the greatest 
freedom in making the right decisions. Not 
doing so can result in poor performance 
and a lack of optimization for expensive 
physical resources. 

Don't make the mistake in your envi¬ 
ronment of assuming that DRS can handle 
every situation. Keeping this article's 5 tips 
in mind will help ensure that your cluster 
remains healthy even as resource utiliza¬ 
tion constantly changes. 
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I n the past few years, only virtualization and the cloud have rivaled unified communications 
(UC) as the latest IT buzz phrases. UC is all about integrating various communication modali¬ 
ties, such as email, IM, telephony, voicemail, video, fax, and conferencing into a single system 
and then providing contextual information to users to help them choose the best method to 
contact someone at any given time. For example, companies that have deployed a full UC 
system, such as Microsoft Lync Server 2010, have found that voicemail is a rarity because users 
can discover a contact's availability and then choose to email or IM rather than call. Taken further, 
UC can be embedded into the business process. An example would be a maintenance crew being 
selected based on presence and then contacted through an automated system either by IM or voice 
to be summoned to a job. 

This utopian vision requires a fair amount of work in the background. You have the obvious techni¬ 
cal challenge of integrating the modalities; however, in many ways this is far simpler than changing 
the culture of a business—which requires making information such as presence and skill set freely 
available and working to achieve a flexible and empowered workforce of individuals who are trusted 
to work in support of each other and the organization wherever and whenever necessary. Any com¬ 
pany that embarks on a UC project needs to clearly identify why it's doing so, outline its business and 
technical goals, and communicate why and how it will bring this change to users. 


Get seamless 
integration 
across multiple 
communication 
modalities 

by Nathan Winters 


What Is Lync? 

Lync is the new name for Microsoft's real-time communication platform, previously known as 
Microsoft Office Communications Server. OCS provided enterprise IM, presence, and conferencing 
with direct integration to the Microsoft Office suite of applications. It also provided nascent telephony 
functionality and conferencing features that were cost effective and easy to manage. 

In conjunction with Microsoft Exchange Server 2010 and Microsoft SharePoint Server 2010, Lync 
builds on its predecessor, OCS, in key areas: 

• The PC and browser client experience, which 1 discuss later in the article 

• Extensibility improvement through Microsoft Unified Communications Managed API (UCMA) 
3.0, which provides a single set of APIs to access and control all modes of communication; the 
APIs ensure that access to communication modalities can be easily embedded in new and 
existing applications through Microsoft Silverlight and the .NET Eramework 

• Management improvements (e.g., PowerShell, Silverlight web-based management console) 

• Improved telephony features 


These improvements are underlined by tight integration with the cloud as part of Microsoft's Office 
365 offering. Office 365 will provide the ability to host Lync either on premises or in the cloud and 
to have close interoperability and single sign-on (SSO) between systems such as Exchange and 
SharePoint whether in the cloud or on premises. 

The Lync Client 

With Lync, Microsoft has worked hard to streamline the client experience, moving toward a single cli¬ 
ent for real-time communication. The biggest change is that the separate Live Meeting client no longer 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


JULY 2011 39 







■ LYNC 2010 



Figure 1: Lync 2010's contact card 


exists, with the functionality integrated into 
the main Lync client. 

The Lync client gives users all the nec¬ 
essary information to easily find and com¬ 
municate with the correct person through 
the most appropriate method. Presence 
information is gathered from integra¬ 
tion with Exchange calendar information 
and enhanced by real-time usage data 
from the PC, location, and device aware¬ 
ness. The addition of photos in presence, 
close integration with SharePoint 2010 or 
SharePoint 2007 for skills-based searching, 
and a Twitter-like update capability called 
the Activity Feed (which can provide status 
updates. Out of Office—OOF—messages, 
and notifications about photo changes) all 
provide a rich environment that lets teams 
work closely together and understand one 
another's goals. In addition, users can 
quickly and easily find the relevant person 
in an organization. Of course, organiza¬ 
tions that want to disable functionality 
such as the Activity Feed can do so through 
client policies. 

The Lync client has been completely 
redesigned from OCS. It has a simple 
layout, with easily accessible key options; 
it operates based on four main tabs that 
provide contacts, activity feed, communi¬ 
cation history, and telephony functions. 
Examples that demonstrate Lync's ease of 
use include the ability to effortlessly switch 
between audio devices even within a call, 
the ability to pop out the video feed in a call 


and move it to another monitor for ease of 
viewing, and the telephony tab's provision 
of visual access to voicemail and a large- 
size numerical keypad for dialing. 

Microsoft has done a lot of work to 
ensure tight integration between Outlook, 
Lync, and the wider Microsoft Office 2010 
suite. (Of course, Lync also works with 
earlier versions of the Office suite. For 
detailed information about compatibility, 
see TechNet's Lync 2010 Compatibility 
page at technet.microsoft.com/en-us/ 
library/gg412817.aspx.) 

One very effective Lync improvement 
when working with Office 2010 is the pres¬ 
ence contact card, which is identical wher¬ 
ever presence is accessed across the Office 
suite. The contact card provides key details 


about people's locations and availability, 
as well as single-click access to the main 
modes of communication, as Figure 1 
shows. For example, Lync consolidates 
contact objects found in the Global Address 
List (GAL), Outlook contacts, and poten¬ 
tially on Facebook and Linkedln through 
the Outlook Social Connector (OSC), to 
present a single contact with all relevant 
information about a person. Another wel¬ 
come addition, described as "the mother of 
all redials" at launch, is the new conversa¬ 
tion history tab in the Lync client. This is 
another example of tight integration with 
Exchange because it uses either Exchange 
2010 or Exchange 2007 as a data store to 
give instant visibility of all previous com¬ 
munication, whether over IM, voice, or 
conferencing, and lets users dive straight 
back into a previous conversation, with the 
context of what happened previously. 

One thing missing in Lync is a replace¬ 
ment for OCS Communicator Web Access. 
CWA provided basic IM and presence func¬ 
tions, as well as desktop sharing through a 
web browser. As 1 mention in the confer¬ 
encing section later in the article, a basic 
browser client is included, but it's currently 
only able to provide access to conferences, 
as Figure 2 shows. 

Currently, if you need a more fully 
fledged web-based client, you must deploy 
CWA from OCS 2007 R2. Microsoft has 
plans for a native Lync web client, although 
the timeframe for release is unknown. 

Lync includes improvements for mobile 
device users, particularly BlackBerry users. 
BlackBerry Enterprise Server (BES) 5.0 SP3 
includes a native Lync client that connects 



Figure 2: Lync 2010's basic browser client, showing the Lync web app connected to a 
conference 
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directly to Lync, just as Windows Mobile 
6.5's Microsoft Office Communicator 
Mobile (CoMo) client does. BES 5.0 SP3 
makes BlackBerry one of the most fully 
featured clients available for Lync (at least 
until the iPhone and Windows Phone 7 
clients are released later in 2011). For die¬ 
hard Windows Mobile 6.5 device users, the 
existing CoMo client will still work with 
Lync. 

Finally, it's worth noting that although 
the Lync client can be installed on Windows 
XP SP3 and later, a very capable Mac client 
is also available that works on Mac OS X 
10.5.8 and later. This client, called Microsoft 
Communicator for Mac 2011, provides IM, 
voice, video, and conferencing features 
in addition to integration with Microsoft 
Office for Mac 2011. Unfortunately, some 
elements are currently missing, such as the 
ability to set up a conference via Microsoft 
Outlook 2011—but further functionality is 
likely forthcoming. For more details about 
specific features that are available, see 
the Microsoft TechNet Client Comparison 
Tables website at technet.microsoft.com/ 
en-us/library/gg425836.aspx. 

Collaboration 

A key enhancement to the Lync client is the 
integration of Microsoft Office Live Meeting 
functionality, which no longer requires its 
own client. It's now possible to conduct 
rich conferencing sessions either on a 
planned (i.e., scheduled through Microsoft 
Outlook 2010, 2007, or 2003) or ad hoc 
basis through a single client. Features such 
as prior uploading of slides and handouts, 
presenter view with private navigation 
of slides and slide notes, animated slide 
builds, white boarding, and polls are all 
available. In addition, the ability to share 
either a program or whole desktop while 
using audio and video feeds makes Lync 
a comprehensive conferencing system. Of 
course, conferences can be recorded and 
then directly uploaded to a SharePoint site 
for future viewing. 

Some issues still exist with the Lync 
conferencing experience—for example, 
the inability to present a tiled view of all 
participants so you can view everyone in 
the conference simultaneously is annoying. 
Lync still works on the premise of show¬ 
ing current and previous speakers. You 
can work around this problem by using a 


third-party conferencing bridge such as 
those available from Tandberg, Polycom, 
and LifeSize. 

Lync provides access to conferences for 
external partners in various ways. You can 
access a conference through a web browser, 
from which you have the choice to join the 
meeting from a phone number that you 
provide or via the Attendee client, which is 
a scaled-down Lync client that enables rich 
access to all elements of the conference, 
including voice and video access from a PC 
that isn't owned by the organization. Direct 
telephone access is also available. Dial-in 
conferencing services are enhanced in 
Lync to let participants dial in to any Lync 
conference. Once connected, users can use 
familiar, customizable dual-tone multi¬ 
frequency (DTMF) tones to control their 
participation. For example, participants 
can be asked to record their names and 
allowed to mute and unmute lines, and 
organizers can easily request a roll call. 

Across all the new conferencing meth¬ 
ods, the lobby feature is a great addition. 
This function provides a means for organiz¬ 
ers to keep attendees outside the confer¬ 
ence until admittance is suitable, to ensure 
a professional presentation. Hold music 
plays while participants wait in the virtual 
lobby. Although Microsoft doesn't support 
changing the hold music, you can do so, 
as the Microsoft article "How to custom¬ 
ize voice prompts or music files for dial- 
in audio conferencing in Microsoft Office 
Communications Server 2007 R2," at support 
.microsoft.com/kb/961177, describes. 

Telephony and Voice 

One of the product group's major focuses 
in updating Lync was to improve tele¬ 
phony functionality. The company's goal 
is to compete with Cisco and Avaya to be 
one of the top three enterprise telephony 
companies. Lync 2010's features help push 
Microsoft in that direction. 

Architecturally, Lync includes many 
changes to support enhanced availability 
and failover capabilities both in the data 
center and in branch offices. Lync clients 
can connect either to a primary or backup 
registrar, which lets service automatically 
switch to a secondary data center in case 
of a disaster. Where a media path is main¬ 
tained, existing calls will stay up. Specific 
to branch offices are Survivable Branch 


Appliances. These hardware solutions, 
offered by Microsoft partners such as NET 
Quintum, HP, Ferrari, and Audiocodes, 
are centrally managed and don't require 
extensive technical skills to deploy. The 
devices act as the registrar for local users; 
in the event of a WAN failure, they let 
calls route out of local Public Switched 
Telephone Network (PSTN) lines instead of 
over the WAN to the central office. For a list 
of supported devices, see the Lync Unified 
Communications Open Interoperability 
Program website at technet.microsoft 
.com/en-us/lync/ggl31938. 

An important new Lync feature is 
Enhanced 911 (E911) support. Lync can 
provide location information to emer¬ 
gency services via a Session Initiation 
Protocol (SIP) trunk. Location informa¬ 
tion is gathered automatically if a user 
is within the company network and the 
administrator has mapped the network 
into Lync's Location Information Service 
(LIS); in the case of an external user, the 
user is prompted to enter location informa¬ 
tion. This information is retained and auto¬ 
matically selected when Lync realizes it has 
connected to the same network before. 

End users can benefit fi-om many new 
features, including call park, second/private 
line, and a call quality tester. The quality 
tester is useful for unknown network, Wi-Fi, 
or ADSL connections. The user can simply 
place a call to an automated bot, record 
some audio, and listen to a playback to deter¬ 
mine whether the voice quality is acceptable. 
Alongside this functionality is the ability to 
provide information to the user about rea¬ 
sons for poor call quality, as Figure 3 shows. 

Lync still has the capability for work 
delegation, in which an assistant man¬ 
ages executives' calls; this functionality 
was introduced in DCS 2007 R2. In Lync, 
delegation management and operation is 
now handled through the Lync client rather 
than the Attendant Console. The Attendant 
Console is reserved for high call volume 
scenarios, such as an operator. In addition, 
users can now mark a call such as a bomb 
threat or simply an offensive call as mali¬ 
cious and have that information tagged 
for easy retrieval from Call Detail Records 
(CDRs) stored by the monitoring server 
role. This functionality is fairly limited at 
present; it doesn't immediately record a 
call or automatically notify administrators. 
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Figure 3: Lync 2010's call quality notifications 

Other important updates are the imple¬ 
mentation of Call Admission Control (CAC) 
and improvements in the response group 
application; which enables support for 
small contact centers. Microsoft imple¬ 
mented CAC to address the challenges of 
providing real-time communication over 
LANs and WANs with limited bandwidth. 
To configure CAC, you must work with 
your network administrator to define hub 
sites and WAN links. You must understand 
available bandwidth and codec usage and 
define the maximum bandwidth avail¬ 
able to Lync to appropriately control the 
number of calls. When limits are reached, 
policies can be implemented to make intel¬ 
ligent routing decisions (e.g., routing video 
out over the Internet, handing off a call to 
the PSTN). Video and voice can be routed 
in different ways, improving the efficiency 
of bandwidth usage. Another benefit is 
that Lync logs all blocked and redirected 
calls to let you further tweak your policies 
as required. Regarding the response group 
improvements, a key element that stands 
out is the ability to support the aggregated 
presence of groups and to hide agents 
behind the group name, to provided agent 
anonymity. 

Finally, Lync 2010 supports a wider 
range of devices, including common 
area and desk phones operating over IP 
rather than via USB connection to the 
PC. Although Lync still supports all the 
previous methods of interoperating with 
PBXs, it's now a credible replacement 
alternative. 


Management and Reporting 

Lync 2010 provides several improvements 
in the management and reporting space. 
The Microsoft Management Console 
(MMC) OCS snap-in has been retired and 
replaced with a well laid out, simple web- 
based control panel, as Figure 4 shows. 

The Lync Server 2010 Control Panel 
provides easy access to key features with¬ 
out having to drill through multiple layers 
of configuration information. Being web 
based means that you can easily manage 
Lync from any computer running Internet 
Explorer (IE) 7.0 or 8.0 or Firefox 3 or later 
as long as the Microsoft Silverlight 4 add-in 
is installed. 

As with Exchange 2010 and the major¬ 
ity of Microsoft's server applications, the 
entire Lync product is underpinned with 
PowerShell, which means that automation 
of almost any element is possible and doc¬ 
umentation of configuration steps is easy. 
Of course, also as with Exchange, just as 
not everything can be configured from the 
shell, not everything can be done from the 
GUI. For example, the configuration of call 
park settings, announcements for unas¬ 
signed extensions, and certain client poli¬ 
cies can be done only through PowerShell. 
In general, the balance between the shell 
and the GUI is good—and with PowerShell 
becoming uniform across all Microsoft 
products, it's just one of those things that 
administrators have to learn. 

Another positive is the implementa¬ 
tion of role-based access control (RBAC). 
Management at the organization or pool 
level was very difficult to implement in 
OCS. The extremely limited delegation 
capacity didn't give global organizations 
the potential to easily delegate setup or 
administration and therefore required 
a central management team. Lync 2010 


includes 11 predefined roles that cover 
many common administrative tasks. In 
addition, you can create your own custom 
roles for granular management delegation. 
Unfortunately, there's no direct integration 
with Exchange's RBAC system. 

On the reporting front, Lync provides 
even more information and integrates 
closely with Microsoft System Center 
Operations Manager. For example, Lync 
2010 includes actionable alerts; when an 
alert occurs, an operator can click a link to 
kick off an automated repair process (e.g., 
to restart services). This means that opera¬ 
tors can restore service without administra¬ 
tive access to the boxes. Another addition is 
the ability to create synthetic transactions, 
which lets Operations Manager automati¬ 
cally carry out actions (e.g., dummy phone 
calls) to ensure service is always available. 

Finally, Lync includes improvements 
to the call detail and call quality reports, 
which provide clear and useful reports 
for management. Reports are laid out on 
a dashboard, as Figure 5 shows, provid¬ 
ing quick visual information and enabling 
drilldown into specific issues, such as poor 
call quality. 

Deployment 

Many administrators considered OCS dif¬ 
ficult to deploy; in addition, it required too 
many servers to support all the different 
features. In Lync 2010, Microsoft has done 
much to change that perception. Figure 6 
shows Lync 2010's various server roles. 

The front-end server is the hub of the 
system, acting as the point of configura¬ 
tion and the registrar for users. The back 
end is a SQL Server database server. The 
edge server facilitates external access. The 
mediation server transcodes between voice 
codecs and can be co-located with the 
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Figure 4: Lync Server 2010 Control Panel 
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Figure 6: Lync 2010's server roles 

front-end server. The AV conferencing 
role allows for scalability of conference 
Multipoint Control Units (MCUs) by hiving 
the workload onto separate servers. The 
archiving and monitoring servers provide a 
historical store of communication data and 
reports on calls, respectively. The director 
role acts as an additional security layer, 
protecting the front-end server, and also 
as a redirector, taking the load off the front 
end in deployments with multiple pools. 
Finally, group chat provides persistent 
chat rooms with extensive compliance and 
filtering capabilities. 

In terms of supported platforms, as for 
much of the 2010 wave of server products, 
Lync can be installed on Windows Server 
2008 R2 or Windows Server 2008 SP2. A wel¬ 
come addition is support for virtualization 
on both Microsoft Hyper-V and VMware for 
all roles, including those handling real-time 
media. Basic guidance is to expect 50 per¬ 
cent less capacity than from physical hard¬ 
ware. For more information about Lync 2010 
virtualization support, see the Microsoft 
TechNet article "Running in a Virtualized 


Environment" at technet.microsoft.com/ 
en-us/library/gg399035.aspx. 

Another improvement is that Lync 2010 
relies much less on the use of load balancers. 
These devices are necessary only for HTTP 
and HTTPS traffic rather than the multitude 
of real-time traffic that passed through them 
in OCS. This means simpler setup and goes a 
long way toward eliminating one of the most 
complex aspects of an OCS deployment. 

Microsoft made big changes in Lync 
to address previous deployment diffi¬ 
culties. Deployment now starts with the 
Planning Tool and the Topology Builder. 
The Planning Tool asks various questions 
about your intended deployment, includ¬ 
ing names and IP addresses of the servers. 
It then feeds the results into an XML file for 
import into the Topology Builder. Although 
the Planning Tool is relatively simple, it pro¬ 
vides a starting point for those new to Lync 
and ensures that at least the basics are cov¬ 
ered correctly. You can further define your 
system in the Topology Builder, including 
details of front-end pools, edge pools, and 
other infrastructure, such as monitoring 


and archiving servers. At this point the 
central configuration database is deployed 
and the topology is published to it. You 
then progress by deploying each server, 
which after basic bootstrapping pulls all 
relevant configurations from the central 
store. Another advantage is that the edge 
server is now managed centrally rather 
than administrators needing to log on to 
the local machine. This new SQL Server 
replication model ensures that adminis¬ 
trators at least think through their deploy¬ 
ment while using the Topology Builder 
and thus hopefully avoid costly mistakes. 
In addition, this now means a single store 
for configuration information rather than 
OCS's shared approach, which used SQL 
Server, Active Directory (AD), and Windows 
Management Instrumentation (WMl). 

One final thing to remember while mov¬ 
ing through the planning and deployment 
phases is that when interoperating with 
third-party equipment and services, it's 
beneficial to consider the Microsoft Unified 
Communications Open Interoperability 
Program. This program lets vendors certify 
that their products work well with Lync. For 
more information about the program, see 
the Lync Unified Communications Open 
Interoperability Program website at technet 
.microsoft.com/en-us/lync/ggl31938. 

Well Worth Evaluating 

Lync 2010 has been generally available 
since December 2010. This release adds 
critical functionality to ensure excellent 
service across a wide range of communi¬ 
cation modalities. It stacks up particularly 
well in the telephony and collaboration 
space. In addition, Lync's ease of use and 
its tight integration with the Microsoft busi¬ 
ness productivity platform mean that users 
can get up and running quickly. Lync 2010 
is one of the most exciting products from 
Microsoft in recent years and well worth 
evaluating for any company. 
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Creating 

best-of-breed 

architecture 

byJohnSavill 


I n the first two articles in this series (“Virtual Desktop Infrastructure, Part 1," January 2011, 
InstantDoc ID 129007, and “Virtual Desktop Infrastructure, Part 2," April 2011, InstantDoc ID 
129572), 1 covered the technologies that make up desktop virtualization, as well as the tech¬ 
nique for creating a Microsoft Virtual Desktop Infrastructure (VDl) solution in Windows Server 
2008 R2. Although Server 2008 R2's built-in VDl solution will meet the needs of many organiza¬ 
tions, for a true best-of-breed Microsoft-based VDl architecture that maximizes functionality 
and accessibility while minimizing management and required resources, thus enabling a VDl infra¬ 
structure that meets any organization's requirements, you need to employ third-party solutions. 

In this article 1 discuss Citrix's XenDesktop 5 desktop virtualization solution, as well as the AppSense 
Management Suite solution, which focuses on user personalization virtualization. Other great solu¬ 
tions also exist, but 1 don't have the space to discuss all of them here. XenDesktop and AppSense are 
complementary third-party solutions that let you maximize Server 2008 R2's VDl benefits. 


XenDesktop 5 

XenDesktop is Citrix's presentation virtualization solution; it enables the delivery of a desktop experi¬ 
ence to pretty much any type of client device. It uses the ICA protocol rather than standard Windows 
RDP, thus providing a great experience even over very slow, high-latency links. XenDesktop also sup¬ 
ports several high-performance components that make up Citrix's HDX technology (High Definition 
experience) to give users a full-fidelity experience. Although many people think of Citrix as a Terminal 
Services-type solution in which the desktops are hosted on a server OS, XenDesktop also offers a very 
powerful client OS desktop experience through its own VDl implementation that interfaces nicely 
with Microsoft technologies. XenDesktop 5 offers several enhanced features over XenDesktop 4, plus 
it supports (and requires) Server 2008 R2 and Server 2008. (XenDesktop 4 was limited to Windows 
Server 2003 R2 and Windows Server 2003 for its services.) 

Although this article focuses on XenDesktop 5's VDl uses, it's important to realize that XenDesktop 5 
is far more than just extra bits for VDl. XenDesktop 5, with its XenApp components for application 
streaming and XenClient for client-side OS virtualization, enables many different methods for users to 
access and use virtualized OSs. This flexible solution, combining XenDesktop and XenClient, is called 
FlexCast. It isn't a single piece of code or technology but rather Citrix's ability to support essentially 
any type of endpoint and maximize the resources of that end client. To really understand this concept, 
let's look at some of the key Citrix use cases. 

Hosted shared desktops. When you think about old-school Citrix, you probably think of Meta- 
Frame, which consists of one or more server OSs running Terminal Services (called Remote Desktop 
Services—RDS—in Server 2008 R2) with the XenDesktop technology overlaid, allowing many users 
to have unique sessions on a single OS instance. This option is still very popular because you get the 
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highest number of users per OS instance 
(as many as 1,000 users per box) and rela¬ 
tively simple management. This scenario 
is great for task-based workers who don't 
need to be able to customize the OS envi¬ 
ronment (which isn't possible, because the 
OS is shared by all users). 

Hosted blade PC desktops. Each user 
connects via the Citrix ICA client to a dedi¬ 
cated physical machine in the data center, 
which could be a blade PC or simply desk¬ 
tops that are relocated to the data center. 
This use case is typically for users with very 
high resource requirements, such as graph¬ 
ics professionals. 

Local streamed desktops. The client 
OS runs on the user's local computer with¬ 
out actually being installed. Instead, the 
computer boots over the network using 
the Preboot Execution Environment (PXE). 
The OS is streamed to the client as needed, 
which is actually how the hosted blade PC 
functions (as does the VDI solution, which 
1 explain later in the article). 

Local VM-based desktops. A new 
feature in XenDesktop 5 allows a virtual 
machine (VM) to be "checked out" from 
the XenDesktop infrastructure and run 
locally on the client machine, using the 
XenClient hypervisor. The key difference 
here between the local VM-based desktops 
and Windows 7's VHD Boot is that with 
VHD Boot, the OS isn't running within a 
virtualization environment, and only the 
file system is virtualized. With Citrix's local 
VM-based desktops, the OS is actually 
running within a hypervisor, meaning all 
aspects of the hardware are virtualized, 
which introduces a useful capability: Mul¬ 
tiple OS images can be run concurrently on 
the same desktop. Many organizations use 
this technique to have a corporate image 
running on a machine for work actions 
that are heavily locked down and a second 
personal image that lets users do what they 
want but doesn't have the same access to 
corporate resources. These separate VM 
environments are totally isolated from 
each other, stopping vulnerabilities in one 
VM from affecting the other while still 
allowing the user to easily switch between 
them with a keystroke. These local VMs 
can actually be the same image a user is 
utilizing through VDI or other streaming 
methods but simply wants to take offline. 
Changes made offline are synchronized 


back (if desired) once network connectiv¬ 
ity is again available, using block-level 
differencing, which minimizes bandwidth 
consumption. 

Virtual applications. 1 discussed appli¬ 
cation virtualization, and Microsoft Appli¬ 
cation Virtualization (App-V) specifically, 
in the first article in this series. Applica¬ 
tion virtualization essentially abstracts an 
application from the OS by virtualizing all 
aspects of the OS to which the application 
commonly installs (i.e., the file system, reg¬ 
istry, DCOM, user services), then runs the 
application in a virtual environment, which 
lets the application run on an OS with¬ 
out being installed on it. 1 also discussed 
presentation virtualization, in which an 
application runs on a remote server, with 
application window screen updates sent to 
the user's desktop so that the application 
appears to be running locally, although 
all execution is actually performed on the 
remote server. Citrix's XenApp provides 
the same capabilities; however, XenApp 
takes virtualized application accessibility 
to the next level, with great web-based 
Uls, plus the Dazzle plug-in for the local 
Citrix Receiver. (The Citrix Receiver is the 
main Citrix client application that's used 
to connect to Citrix services.) Applica¬ 
tions are either streamed seamlessly to 
the OS and executed locally or executed 
on a Citrix server and presented via pre¬ 
sentation virtualization, depending on 
the endpoint capabilities and best perfor¬ 
mance. XenApp actually supports App-V 
sequenced applications, which gives cor¬ 
porations the benefit of XenApp's flex¬ 
ibility in making virtualized applications 
available while leveraging App-V's power 
and superior capabilities for sequencing 
and abstracting applications from the OS. 
In addition, the Citrix interfaces can pre¬ 
sent web-based applications and Software 
as a Service (SaaS) applications, creating 
a corporate application marketplace that 
includes everything a user will ever need 
to access. 

Virtual Desktop Infrastructure. Last 
but not least—and the entire focus of the 
three articles in this series—is VDI, or as it's 
otherwise known, hosted virtual desktops. 
Citrix's VDI solution is one of the six main 
use cases, but it leverages the technolo¬ 
gies used by most of the other use cases 
that 1 discussed—which is what makes 


the Citrix desktop virtualization solution 
so powerful and appealing. A great deal of 
this power comes from XenDesktop's pro¬ 
visioning services capability and its HDX 
user experience. 

When 1 discussed the Microsoft VDI 
solution in the second article in this series, 
1 explained that one of the pain points is 
managing the client OS images. Remem¬ 
ber that each VM needs its own Virtual 
Hard Disk (VHD), and those VHDs must 
be patched and managed, or they must be 
routinely deleted and recreated. Although 
this process can be automated, it's still 
fairly storage intensive—not to mention 
the amount of storage necessary to store a 
VHD for each virtual desktop. This is where 
the Citrix Provisioning Services component 
comes in. 

Citrix Provisioning Services. Citrix 
Provisioning Services is an amazing piece 
of technology that lets you have a master 
OS image that's streamed to clients as it's 
needed, then cached. Note that 1 use the 
term client rather than VM; this is inten¬ 
tional. Although the focus of this article is 
VDI, 1 want to be clear that this streaming 
of an OS isn't limited to streaming to a VM. 
Citrix Provisioning Services can stream to 
a VM, a blade PC or workstation in a data 
center, or a user's desktop. All these types 
of clients can be streamed with the Win¬ 
dows OS over the network, thus removing 
the need to have a local OS and therefore 
removing the need to maintain and man¬ 
age that local OS. 

Remember that with application virtu¬ 
alization, we send only the bits of the appli¬ 
cation over the network that are actually 
needed for the parts of the application the 
user is using. Citrix Provisioning Services 
does the same thing but with the whole 
OS. Basically, the client device boots over 
the network and obtains an IP address 
from DHCP as usual. Citrix Provision¬ 
ing Services' PXE service responds with 
its Trivial FTP (TFTP) location and the 
bootstrap name, which allows the client to 
boot over the network after the bootstrap 
is downloaded. The client can then locate 
a provisioning server that will create a 
virtual disk (vDisk, in Citrix terminology) 
based on the specified configuration. Next, 
the client device boots into Windows, and 
the Windows OS is streamed to the client 
as the client accesses the different parts of 
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the Windows image and is cached to avoid 
additional network traffic. 

Virtual disks. Obviously, you don't 
want every client that Citrix Provisioning 
Services provides with an OS to require its 
own dedicated VHD. This would consume 
a huge amount of disk space and not save 
any management work in terms of patch¬ 
ing and maintenance—in fact, it would 
increase your workload. Instead, you want 
to use the single master image that all the 
clients in your environment use, whether 
they're blade PCs, desktops, or VMs. If you 
use a master image, that image must be 
read-only because you can't have 500 dif¬ 
ferent clients writing to the same VHD—to 
say that this situation would be confusing 
would be an understatement! Instead, 
the master image is placed in a read-only 
mode and each client is assigned a virtual 
disk (again, vDisk according to Citrix) that's 
used to store any writes the clients makes, 
such as OS customization or Active Direc¬ 
tory (AD) membership. 

A standard vDisk image type is typically 
used, which means that each time the cli¬ 
ent reboots, the vDisk content is wiped, 
essentially resetting the client back to the 
master image state. This is preferable in 
most scenarios, especially VDI. We can 
also use a differential vDisk image type, 
which works the same way as the standard 
vDisk, except writes are persisted across 
reboots (meaning that any changes are 
kept). The differential vDisk would be lim¬ 
ited to select client environments that need 
changes persisted; however, it's important 
to remember that if the master image is 
changed (e.g., if patches are applied), even 
differential vDisks are wiped. 

If you need a long-term persistent 
state of a client OS, you can use a private 
vDisk, which is a read/write image just for 
that client. However, you lose most of the 
benefits with this model because you must 
patch and manage the image separately 
from your master image. If you architect 
your environment correctly, the need 
for this type of environment should be 
very limited because the application and 
user states are virtualized and dynami¬ 
cally composited together at user logon 
time. Thus, a user has the impression of 
being on the same desktop even though 
a different OS might be used for each 
connection. 


The virtual disk location is configurable 
and can be stored on the provisioning server 
(which isn't typically recommended), the 
client disk, or in client memory. Remember 
that in the case of VDI, the provisioning 
service's client is actually the hypervisor, 
so this method would use the hypervisor's 
disk or memory resources. 

What all of this means is that we now 
have a single master image that we must 
patch and maintain and that will be used 
for all provisioning service clients: our VDI 
VMs, blade and workstation data center 
PCs, and streamed desktops. In addition, 
this master image can be checked out by 
clients and used offline for local VM desk¬ 
tops. Not only do we save a huge amount 
of maintenance work, but our disk space 
requirements on the data center back end 
also drop drastically because we must store 
only the virtual disk write changes. These 
changes will be minimal, considering that 
the applications are virtualized and all user 
data is redirected to network folders. 

Machine Creation Services, New to 
XenDesktop 5 is Machine Creation Services 
(MCS), which leverages Citrix Provision¬ 
ing Services technology but requires less 
infrastructure and configuration and is 
targeted at small environments and proof- 
of-concept projects. Rather than perform¬ 
ing OS streaming only as needed, MCS still 
has a master image—but in addition to the 
differencing disk where changes are writ¬ 
ten, there's an identity disk that stores the 
unique information about the OS instance, 
such as AD membership and computer 
name. The reason MCS is targeted for small 
environments is simply that it's a newer 
technology that hasn't been tested in large 
environments. However, 1 think we'll see 
similar scaling for MCS and Citrix Provi¬ 
sioning Services in the future. It's important 
to note that MCS works only on VM-based 
desktops (i.e., VDI), whereas Citrix Provi¬ 
sioning Services supports all the different 
use cases 1 discussed, as well as provides 
much more power and flexibility. 

ICA, Citrix Provisioning Services sounds 
great, but what about the actual client expe¬ 
rience when accessing the OS remotely? 
Citrix installs its Virtual Desktop Agent 
(VDA) on all the Windows OSs it serves. 
Citrix's XenDesktop solution includes the 
ICA protocol, which replaces Microsoft's 
RDP and is a key part of Citrix's HDX user 


experience. (HDX is another key feature 
of XenDesktop that offers highly efficient 
bandwidth utilization, adjusted quality 
based on latency and speed, multimedia 
support, Adobe Flash, 3D applications, 
real-time collaboration, and many types of 
USB peripherals.) If your endpoint devices 
have capabilities such as graphics render¬ 
ing, those capabilities are utilized, thus 
reducing the load on the back-end serv¬ 
ers by sending the native media streams 
and graphics commands. Where available, 
optional server-side hardware accelerators 
can be leveraged. 

The area in which Citrix shines bright¬ 
est is endpoint device support for ICA, 
which is why many organizations lever¬ 
age Citrix for presentation virtualization. 
As new platforms come out, Citrix seems 
to be ready and waiting with a version of 
its Citrix Receiver (the ICA client) for that 
platform. The Citrix Receiver covers all the 
major platforms, including Windows 7, 
Windows Vista, Windows XP, Windows 
Mobile, Mac, Linux, iOS (yes, your iPad will 
work). Android, and BlackBerry. 

Citrix/Microsoft partnership. Last, but 
certainly not least, is Citrix's unique rela¬ 
tionship with Microsoft regarding desktop 
virtualization. Citrix and Microsoft have 
joint solutions for desktop virtualization, 
and the two companies' development 
teams work closely to ensure the best 
client experience when using their joint 
solution. Citrix integrates very well with 
Microsoft System Center Configuration 
Manager (SCCM), App-V, and Microsoft 
System Center Virtual Machine Manager 
(VMM) for virtualization management. Cit¬ 
rix will also take advantage of Microsoft's 
Hyper-V 2008 R2 SPl Dynamic Memory 
and RemoteFX features in an upcoming 
XenDesktop update. For more informa¬ 
tion about XenDesktop 5, go to Citrix's 
XenDesktop website at www.citrix.com/ 
virtualization/desktop/xendesktop.html. 

AppSense Management Suite 

Windows 7 made improvements in its 
roaming profile technology to allow back¬ 
ground synchronization. However, we still 
need different profiles for XP clients (ver¬ 
sion 1) and Windows 7 (version 2) and Vista 
clients, in addition to different profiles for 
terminal servers, and so on. Also, problems 
can occur if users log on concurrently to 
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Figure 1: AppSense user profile virtualization layer and its synchronization 


multiple machines with the same profile— 
in which case the last writer wins. 

Citrix includes some basic functional¬ 
ity to improve handling of the user profile; 
however, the best solution comes from 
AppSense. The company's AppSense Man¬ 
agement Suite virtualizes and streams the 
user profile as needed and isolates distinct 
parts of the profile, including individual 
application portions, to let users have mul¬ 
tiple concurrent sessions using the same 
profile across different platforms. Without 
users even logging off, user profiles are kept 
synchronized in real time. 

Typically, customizations made to an 
application that's natively installed and one 
that's executed using application virtual¬ 
ization aren't shared, so you must custom¬ 
ize the applications multiple times. With 
AppSense your customizations are per¬ 
sisted if the application is installed locally, 
is running remotely, or is virtualized. These 
customizations aren't limited to cosmetic 
changes. Applications with user-defined 
dictionaries, for example, are maintained 
not only by profile syncing but also by cap¬ 
turing file system content that contains app 
data (e.g., custom dictionaries). 

The following is a great example of 
AppSense in action. Suppose you have 
one user who is logged on to a Windows 7 
machine and an XP machine, using the 
same username and therefore the same 
user profile. On the XP machine, the user 
launches Microsoft Word, changes the 
layout of Word, adds some words to the 
custom dictionary, saves a new docu¬ 
ment, and closes Word without logging off. 
The user then switches to the Windows 7 


machine (which is already logged on) 
and starts Word. The document the user 
saved under XP is listed under recently 
used documents; when the user opens the 
document, the words the user added to the 
custom dictionary are available, and the 
look and feel of Word match what the user 
configured in the XP session. 

This flexibility and granularity is 
achieved because AppSense doesn't treat 
the profile as a single blob but instead 
breaks the profile down into individual 
elements that can then be synchronized 
and streamed to the client as needed by 
the environment and applications. This 
treatment of the profile and supporting file 
system structures is achieved in a similar 
fashion to how application virtualization 
works for applications. When the user 
launches an application, AppSense injects 
a DLL (appinit.dll) to 
intercept file system 
and registry calls by the 
application. This inter¬ 
ception sits above the 
App-V engine inter¬ 
ception, which means 
customization and con¬ 
figuration of applications 
are kept and synchro¬ 
nized between differ¬ 
ent sessions regardless 
of whether one app 
instance is local and 
another is virtualized, as 
Figure 1 shows. (Note 
that App-V is supported 
but not required.) As 
you can see, three layers 


exist in an environment: the OS virtualiza¬ 
tion layer, the application virtualization 
layer, and the full user virtualization layer. 
This structure allows full flexibility and 
portability across platforms and delivery 
mechanisms. 

AppSense clients communicate over 
HTTP or HTTPS to the AppSense Personal¬ 
ization Server role, which uses SQL Server 
to store the profile elements. This com¬ 
munication occurs each time a user opens 
or closes an application. AppSense checks 
whether anything has changed, and if so, 
synchronizes the delta, thus minimizing 
network usage and making the synchroni¬ 
zation process very fast. 

Using SQL Server to store each pro¬ 
file element enables other powerful capa¬ 
bilities. On the AppSense Personalization 
Server role, administrators can launch an 
AppSense Personalization Analysis of all 
users or selected users, then drill down to 
look at each user's personalization, includ¬ 
ing the personalization of each application 
a user has used. You can open each ele¬ 
ment to see the virtual registry and file sys¬ 
tem associated with each application's part 
of the profile, which can be modified (e.g., 
deleting settings from the registry or files 
from the virtual file system to then be used 
the next time the application launches). 

Sometimes users encounter problems, 
and you might need to roll back to a previ¬ 
ous profile version. AppSense lets you roll 
back a profile to a previous point in time— 
but even better, you can also roll back an 
application element to a previous point in 
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Figure 2: Rolling back a specific portion of a user profile 
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Figure 3: Integrated virtualization solution 


time without affecting the rest of the profile, 
as Figure 2 shows. This capability would be 
useful, for example, if a user called the Help 
desk to report a broken application; the 
administrator could simply roll back the 
application's configuration to a previous 
point in time. 

In addition to being a great VDI solu¬ 
tion, AppSense is also a useful technol¬ 
ogy throughout the entire enterprise. For 
example, migrating from XP to Windows 7 
with AppSense is a snap because there's 
essentially no work related to the user 
profile (which is typically a large part of the 
migration process). Even if you aren't cur¬ 
rently using AppSense, when you deploy 
the program, the agent will automatically 
migrate XP profiles into AppSense. As soon 
as you test those pesky applications for 
Windows 7, you'll be good to go. 

Looking toward the future, AppSense is 
working on solutions to handle user data 
and user-installed noncorporate applica¬ 
tions with the same power with which the 
AppSense Management Suite currently 
handles user profiles and policies. I'm 
excited to see these features in a future 
release. Although 1 touched on only one of 
AppSense's major features in this article, 
the product offers a range of benefits, 
including a full policy engine that's highly 
granular and that doesn't require logons 
or logoffs to apply policy changes but can 
still read standard Group Policy ADM 
templates. Because AppSense virtualizes 
the user state, the product can also help 
with App-V virtualization issues for certain 
applications that otherwise require com¬ 
plex changes to the virtualized application. 
For more information about AppSense, 
go to the company's website at www 
.appsense.com. 


A Truly Integrated 
Solution 

Now that you understand 
all the components avail¬ 
able for creating a VDI 
architecture, as well 
as their power, you can 
see that overlaps exist 
between technologies. 
Citrix provides applica¬ 
tion virtualization with 
XenApp, whereas Micro¬ 
soft provides App-V. Citrix 
has XenServer and Micro¬ 
soft has Hyper-V. Microsoft has roaming 
profiles, but AppSense's features are far 
superior to the in-box roaming profiles. 
We need to consider all these technolo¬ 
gies together to create the most optimal 
solution. 

Working from the ground up, an optimal 
architecture uses Hyper-V for the hypervi¬ 
sor. Why would we use Hyper-V rather than 
XenServer? Because Hyper-V provides the 
best performance and density for Win¬ 
dows 7 virtualized OSs. If you're setting up 
an XP VDI environment, then XenServer 
provides better performance—however, 
if you're setting up an XP VDI environ¬ 
ment today, we need to talk! Another 
reason to use Hyper-V is Microsoft's invest¬ 
ment in the Hyper-V technology, including 
improvements in Server 2008 R2 SPl to add 
dynamic memory and RemoteFX, both of 
which are key VDI features that XenDesk- 
top will also leverage in the future. Even 
Citrix recommends the use of Hyper-V 
over its own XenServer for Windows 7 VDI 
environments. The best choice to manage 
the Hyper-V environment is VMM. 

Next, we need to consider the actual 
brains of the VDI environment, includ¬ 
ing the broker, provisioning services, and 
application streaming. XenDesktop is the 
best choice in this area because it offers 
superior functionality over Microsoft VDI, 
primarily because of its capabilities around 
master images as the basis for the client 
VMs and its wide array of supported client 
devices through ICA and HDX. 

For application virtualization (i.e., 
abstracting the application from the OS), 
App-V is the best choice. Some people 
might wonder why you'd use App-V 
sequencing rather than XenApp profiling, 
especially because XenDesktop includes 


XenApp, so you'll already own it. How¬ 
ever, several reasons exist for using App-V 
rather than XenApp for application virtu¬ 
alization. Again, Microsoft has invested 
a huge amount of time and research into 
making App-V the most powerful applica¬ 
tion virtualization technology. The App-V 
sequencing process is far more flexible and 
comprehensive than the XenApp profil¬ 
ing process, resulting in greater applica¬ 
tion virtualization success. App-V supports 
virtualization of user mode services and 
DCOM, which XenApp doesn't. In the 
future, Microsoft applications will be deliv¬ 
ered with templates that enable very easy 
sequencing with App-V; the rest of the 
industry is likely to follow. XenApp hooks 
into App-V, allowing XenApp services to 
deliver App-V-sequenced applications. 
Thus, we get all the virtualization power of 
App-V and the delivery and presentation 
capabilities of XenApp—the best of both 
worlds. 

The obvious OS choice is Windows 7. In 
addition, installing the Citrix Virtual Desk¬ 
top Agent lets you use the ICA protocol to 
access desktops and take advantage of the 
HDX experience from all the various plat¬ 
forms that provide Citrix Receivers. 

For user virtualization, AppSense pro¬ 
vides a seamless user experience during a 
VDI session, local session, terminal server 
session, or even in a mix of OSs. AppSense 
uses a minimum of resources and band¬ 
width but provides great management 
capabilities to help solve any user prob¬ 
lems that might occur. 

Although this integrated solution, 
which Figure 3 shows, combines software 
from three different vendors, these vendors 
have a very strong partnership. This solu¬ 
tion combines the best products available 
to create a state-of-the-art VDI architecture 
that will meet all of your organization's 
virtualization needs. 
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C loud computing is highly appealing to today's organizations, not only because of its pro¬ 
jected cost savings but also because of key characteristics such as the cloud's elasticity, 
scalability, and flexibility. However, cloud computing also brings new challenges. The 
concentration of an organization's computing resources and data in the cloud can create 
a more attractive target for potential attackers. Although cloud-tailored security defenses 
can be robust, scalable, and cost effective if properly implemented, security remains a top 
concern for organizations considering cloud-based services. 

Your choice of a cloud service delivery and deployment model directly affects the security of your 
organization. In addition, planning for cloud-based IT services creates several security challenges that 
you must overcome if you hope to take advantage of the cloud's benefits while minimizing the risks. 


Focus on 
security when 
considering 
cloud adoption 

by Jan De Clercq 


Delivery Model Security 

A common architectural model used to frame the services a Cloud Service Provider (CSP) can deliver 
to organizations (i.e., the cloud service consumers) is the SPl model. SPl refers to the delivery of soft¬ 
ware, platform, and infrastructure services in the cloud; these cloud service offerings are referred to as 
Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (laaS). 

The SPl model is a stacked model, as Figure 1 shows, in which laaS sits at the bottom of the stack, 
SaaS at the top, and PaaS in the middle. The higher you go in the SPl stack, the more responsibility 
and control the CSP has and the less responsibility, control, and flexibility the service consumer has. 
This rule also applies to security. 

SaaS, With SaaS, organizations buy cloud-based applications or software from a CSP. Instead of 
purchasing software applications off-the-shelf and installing, configuring, and maintaining them, 
organizations rent applications from a SaaS CSP. The CSP manages and controls the cloud infrastruc¬ 
ture underneath the applications (including components such as OSs, servers, storage, and networks), 
as well as general application setup and configuration. Typically, SaaS consumers handle only user- 
specific application configuration and identity management tasks. Of all the cloud service delivery 
models, SaaS provides the most integrated security services, built directly into the cloud offering, with 
the least consumer extensibility. A good SaaS example is the use of Microsoft Exchange Server email 
services with Microsoft Office 365. 

PaaS, PaaS CSPs offer a cloud-based development environment that lets organizations build and 
deploy their applications on top of a cloud platform. Like for SaaS, the PaaS CSP controls the cloud 
infrastructure that underlies the PaaS platform. Because PaaS sits lower in the SPl stack, it's more exten¬ 
sible than SaaS. The built-in security features are less complete and there's more flexibility for consum¬ 
ers to include additional security services. A good PaaS example is the Microsoft Azure platform. 

laaS, When using laaS, organizations rent fundamental computing resources, such as processing 
power, storage space, and network segments, in the cloud. With laaS, organizations have control over 
the OSs and applications they deploy on top of the rented computing resources. Of all the models, laaS 
has the greatest extensibility. For security, this means that the laaS CSP includes only basic infrastruc¬ 
ture protection services: The OSs, applications, and content must be secured by the cloud consumer. 
A good laaS example is the Amazon Elastic Compute Cloud (EC2) offering. 
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Figure 1: SPI cloud service delivery model 


The SPI model shows that in the cloud, 
security is typically a shared responsihility 
that's split between the cloud consumer 
and the CSR Creating clearly defined ser¬ 
vice level agreements (SLAs) between the 
cloud consumer and the CSP is therefore 
critically important. As a cloud consumer, 
you might also require security audits of 
the CSP's environment or some kind of 
proof that the CSP has implemented suf¬ 
ficient and effective security controls. 

The degree to which you need SLAs and 
security controls in the cloud obviously 
depends on what part of your business you 
want to make dependable on the cloud. As 
for any security investment, it's important 
that you first perform a solid requirements 
analysis and risk assessment. 

Deployment Model Security 

Regardless of the cloud service delivery 
model (i.e., SaaS, PaaS, or laaS), cloud ser¬ 
vices can be deployed in a public (or exter¬ 
nal), private (or internal), or hybrid cloud. 
These three cloud deployment models 
affect how an organization manages and 
maintains security controls, as well as what 
security operations the organization is ulti¬ 
mately responsible and accountable for. 

Public. A public cloud provides cloud 
services to organizations over the Inter¬ 
net. This model is hosted, operated, and 
managed by a third-party cloud service 
vendor that provides services from an 
Internet-facing data center. In a public 
cloud, security management is delegated 
to the third-party cloud service vendor. 
Because cloud consumers have no direct 
insight into the way the vendor implements, 
operates, and maintains security, cloud 


consumers and vendors might need to 
establish strict SLAs—but this requirement 
obviously depends on the criticality to your 
business of the applications and data you 
put in the public cloud. Similarly, consum¬ 
ers can require regular security audits to 
guarantee appropriate security controls. 

Public clouds typically offer their ser¬ 
vices to different organizations using a 
common or shared IT infrastructure. This 
phenomenon is referred to as multi-tenancy 
and creates a set of interesting security 
challenges to guarantee that the different 
tenants' (i.e., organizations') data is isolated 
while it's processed, transmitted, or stored 
on the shared public cloud infrastructure. 

Private. A private cloud brings cloud 
services to private networks: It's a cloud 
that serves a single organization. The net¬ 
work, computing, and storage resources 
underlying a private cloud are dedicated 
to one organization. For organizations that 
often deal with confidential or sensitive 
data, this is an important security argu¬ 
ment. A private cloud allows organizations 
to take advantage of cloud features such as 
elasticity and flexibility while maintaining 
sufficient control and security for the orga¬ 
nization's data. 

Private clouds don't take away the pos¬ 
sibility of outsourcing: A private cloud can 
be entirely or partially managed by a third 
party. In that context, an organization 
might decide to keep the responsibility of 
the entire security management and opera¬ 
tion of its private cloud with its internal IT 
department, or to outsource certain secu¬ 
rity functions to a third-party provider. 

A private cloud can be hosted on prem¬ 
ises (in a customer-owned data center), off 


premises (in a third party's data center), 
or partially on premises and partially off 
premises. Although the use of SLAs isn't 
common in public clouds, SLAs are com¬ 
mon when outsourcing is used for private 
clouds. SLAs give the private cloud con¬ 
sumer more control and insight into the 
security operation of its outsourced private 
cloud and make it easier to comply with 
standards, policies, and regulations. 

Like for public clouds, private clouds can 
also have multi-tenancy security require¬ 
ments. In a private cloud, an organization 
might require strict isolation between the 
data of its different internal business units. 

Hybrid. A hybrid cloud is a mix of 
a private cloud and one or more public 
cloud components. It brings together the 
best of the private and public cloud worlds. 
Organizations might prefer a hybrid cloud 
approach to let them run their non-core 
applications in a public cloud, while putting 
their core applications and sensitive data in 
an on-premises private cloud. Because of 
its flexibility, there's a fair chance that the 
hybrid cloud model will become organiza¬ 
tions' favorite cloud deployment model. 

Security Priorities for Cloud 
Adoption 

The main security priorities to keep in 
mind when your organization considers 
cloud adoption can be split across the 
following security areas: Governance, 
Risk, and Compliance (GRC); Identity and 
Access Management (lAM); infrastructure 
security; and data protection. 

Governance, Risk, and Compliance. 
Perhaps the most important but also the 
most challenging security area to deal with 
in the cloud is GRC. The ultimate goal of GRC 
is to improve the overall security posture of a 
cloud solution by using formal methods for 
risk management, security controls assess¬ 
ment, and compliance monitoring. 

A GRC program consists of several 
stages. It starts with a risk assessment to 
identify the security risks that the cloud 
solution will face and to identify the appli¬ 
cable regulations. The next step is to iden¬ 
tify the security controls that can address 
the identified risks and ensure regulatory 
compliance. The CSP and the consumer 
must then decide on a monitoring and 
reporting system to check and report 
whether the controls effectively meet 
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security requirements. Finally, the moni¬ 
toring results might lead to improvements 
and changes to the security controls. 

Certainly, GRC in the cloud isn't a one¬ 
time activity but an ongoing process that's 
constantly on the watch for new threats and 
security improvements. It might be difficult 
in the cloud to align the GRC processes of 
your organization with those of your CSP 
and to ensure regulatory compliance of geo¬ 
graphically diverse cloud infrastructures. 

Identity and Access Management. 1AM 
incorporates services such as identity pro¬ 
visioning, authentication, authorization, 
and auditing. For 1AM, the biggest cloud 
challenge lies in the changed trust bound¬ 
aries. In most cases, the trust boundary in 
a cloud solution moves beyond the control 
of an organization's IT department because 
it extends into the CSP's infrastructure. 
This means that the reach of internal 1AM 
systems must be extended to the CSP 
environment. If this is difficult, it must be 
counteracted by stronger authentication 
and authorization controls at the entry and 
exit points of the cloud solution. 

For cloud-based authentication and 
authorization, you should consider identity 
federation solutions that build on the Secu¬ 
rity Assertion Markup Language (SAML) 
standard. For cloud-based provisioning, 
you should consider solutions that support 
the Service Provisioning Markup Language 
(SPML) standard. Finally, be sure that you 
get your internal 1AM systems right before 
you consider linking your 1AM system to 
the cloud. Many organizations have com¬ 
plex 1AM systems that consist of different 
directory, access management, and provi¬ 
sioning solutions. Unless you simplify and 
streamline your internal 1AM infrastruc¬ 
ture, linking it to the cloud will become an 
even more complex task. 

Infrastructure security. Infrastructure 
security incorporates security at the host, 
network, application, and virtualization 
layers of a cloud solution. If the cloud 
solution moves beyond the borders of 
the organization, infrastructure security 
responsibilities are split between the cloud 
consumer and the CSP. It's crucial that 
cloud consumers understand and agree 
on the exact infrastructure security services 
the CSP will provide and which infrastruc¬ 
ture security services they still must pro¬ 
vide themselves. 


On the network layer, you must espe¬ 
cially protect the confidentiality and integ¬ 
rity of data while it's in transit across public 
networks. You must also be on the lookout 
for attacks on the cloud solution's Internet¬ 
facing entry points. 

On the host layer, you must ensure that 
proper malware protection and security 
patching solutions are in place both on the 
level of client access points (e.g., laptops, 
desktops, PDAs, terminals) and on the 
level of the back-end server infrastructure 
in the cloud data center. Host security also 
includes the virtualization layer, which cre¬ 
ates a set of new security challenges. You 
must make sure that you and your CSP pro¬ 
vide sufficient security services on all virtu¬ 
alization levels, including the parent OSs, 
the guest OS, and the hypervisor layer. 

Although application security is often 
neglected, studies show that most vulner¬ 
abilities are discovered at the application 
level. An important cloud application secu¬ 
rity priority is to ensure that your software 
is developed using a secure software devel¬ 
opment life cycle (SDLC). In the cloud, 
your organization or the CSP must also 
provide application-level security protec¬ 
tion (e.g., through web application fire¬ 
walls), patching, vulnerability scanning, 
logging and reporting, and integration with 
your 1AM infrastructure. If your organiza¬ 
tion already has an established application 
security program, it might need updating 
to cope with the additional risks created by 
the cloud service delivery models. 

Data protection. Data protection covers 
both data security (confidentiality, integrity, 
and availability protection) and data privacy 
protection. The primary means to provide 
data confidentiality and integrity in the 
cloud is encryption. Encrypting data intro¬ 
duces additional challenges related to secure 
key management and the secure processing 
of encrypted data in a multi-tenant cloud 
environment. For data availability, working 
and regularly tested backup and recovery 
mechanisms remain crucial security tools. 

Data Loss Prevention (DLP) solutions 
are an emerging set of data-protection 
solutions for the cloud. Organizations can 
use DLP solutions to protect business- 
critical data in the cloud and prevent data 
leakage, distribution, or unauthorized use. 

In the cloud, you might also want to pay 
special attention to data remnants, which 


are the residual representations of data 
after erasing, removing, or deleting the data 
from a CSP's storage providers. To make 
sure that your data leaves no trace, you 
might want to require the use of advanced 
data and disk clearing and sanitization 
solutions. 

Finally, data privacy protection in the 
cloud brings significant challenges if orga¬ 
nizations and CSPs must adhere to differ¬ 
ent privacy regulations. The cloud currently 
also lacks technical tools to let individuals 
effectively control where Personally Iden¬ 
tifiable Information (Pll) is used, stored, 
and travels. Much remains to be done on 
the privacy front. 

Risks vs. Benefits 

Cloud computing can provide highly scalable 
and flexible IT services over Internet-based 
protocols. Important security challenges for 
organizations that consider cloud adoption 
include changes to the traditional security 
and trust boundaries and the associated loss 
of control. Implementing security controls 
is relatively easy if you have physical access 
to your applications and systems—but in 
the cloud, you must leave this responsibility 
to the CSP. 

To cope with these challenges, organi¬ 
zations must extend or link key pieces of 
their current internal security infrastruc¬ 
tures with the cloud and will need to rely on 
strict SLAs for the level of security the CSP 
is expected to deliver. Customers that have 
experience with IT outsourcing can benefit 
from past experience with dividing pieces 
of the security ownership cake. 

Organizations should also be extremely 
careful when they migrate and store valuable 
data in the cloud; it's absolutely paramount 
to check the CSP's security controls to guar¬ 
antee the appropriate level of data security. 
Finally, remember that any cloud-related 
security exercise must start off with a risk 
assessment and the creation of a proper GRC 
program that's tailored to the cloud. 
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I n "SharePoint 2010 Disaster Recovery, Part 1" (www.windowsitpro.com, InstantDoc ID 
129713), I discussed the various types of disasters that can befall your Microsoft SharePoint 
Server installation, as well as techniques to protect against those disasters. Part 1 focused on 
how to plan for and recover from content deletion disasters; in that discussion, 1 made the 
assumption that the infrastructure was functioning. In this article, 1 cover what happens when 
the infrastructure itself fails. This type of disaster includes machine outages, such as a Share- 
Point server crash or a Microsoft SQL Server machine crash, as well as facility failures. 1 also explain 
how to make your SharePoint farm highly available, including measures you can take to prevent the 
types of disasters 1 discuss. 


Background 

Any good technical article provides some background to help frame the discussion. In Part 1,1 dis¬ 
cussed the need to have a service level agreement (SLA) in place to define your disaster recovery 
expectations. 

You also need a well-defined recovery time objective (RTO), which is a guideline for how quickly 
you must get SharePoint back online after a disaster strikes. For example, your RTO might state that 
when SharePoint goes offline, your objective is to get it back online in 4 hours. Having a defined RTO 
helps you shape your disaster recovery strategy, and it also sets your customers' expectations. A good 
rule of thumb is to round up. It's better to under promise and over deliver than to over promise and 
under deliver. Sometimes the key to success hinges on lowered expectations. 

Another important factor in ensuring successful disaster recovery is your recovery point objective 
(RPO), which defines the data that comes online at the time of recovery. In Part 1,1 discussed RPO in 
the context of the point from which documents can be restored. For example, is the RPO midnight, 
when the backups ran? Is the RPO "no more than 2 hours old"? The RPO specifies the latest point in 
time to which we can recover. 

To illustrate these points, it's helpful to use an example. Suppose your RTO is 2 hours and your 
RPO is midnight of the previous day. If someone calls you at 1:00 p.m. to report missing content, you 
have until 3:00 p.m. (i.e., your RTO of 2 hours) to restore the data, which will be no older than from 
midnight of the previous night (i.e., your RPO). 

Having a well-defined RTO and RPO is imperative to planning an appropriate disaster recovery 
strategy. If you're performing backups only at midnight and your RPO states that your customers will 
never lose more than 4 hours of work, then you have a conflict. To meet your RPO, you must increase 
your backup frequency—which will cost money at the very least, as well as possibly decrease perfor¬ 
mance. However, these tradeoffs are necessary to meet your objectives. In most cases, the shorter the 
RTO or RPO, the more money and management time it takes to achieve. 


Machine Failure Outages 

Now that we've covered the basics, let's get down to the technical aspects of disaster recovery. The very 
least you can do in order to recover from a machine failure is to backup your databases. As the old saying 
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goes, "Content is king"—and if you have all 
your databases, you have all your content. If 
you're not already performing backups, rest 
assured that getting started is easy. (Remote 
Blob Storage—RBS—presents a database 
backup problem; for more information, see 
the sidebar "Remote Blob Storage Affects 
Database Backup.") 

For a crash course in performing back¬ 
ups of all your SharePoint databases, see 
my blog post "Scheduling SQL backups 
for SharePoint" at wvvw.toddklindt.com/ 
blog/Lists/Posts/Post.aspx?lD=248. While 
you're at it, go ahead and back up your 
SQL Server databases as well. These back¬ 
ups won't take up much space, but they'll 
really come in handy if you have to rebuild 
your SQL Server instance from scratch. Not 
only can you use these database backups to 
recover individual items, as 1 discussed in 
Part 1, but you can also use them to recover 
site collections, web applications, service 
applications, or an entire farm. Let's walk 
through a few scenarios to see how. 

SharePoint crashes. Suppose you have 
a typical small farm that consists of one 
SQL Server machine and one SharePoint 
server. As a good SharePoint administrator, 
you make backups of all your databases 
each night. You come in one rainy Wednes¬ 
day morning to the cries of your users 
that "SharePoint is down!" After getting 
your morning coffee, you try to browse to 
SharePoint and realize, lo and behold, that 
it's actually down. Not only is SharePoint 
down, it appears that the entire server is 
down. You can't connect to it via RDP, and 
it won't respond to pings—it's just plain 
dead. You rush into the server room and 
you see your SharePoint server sitting at 
the boot screen, unable to find a hard drive 
to boot from. Whichever drive subsystem 
you had, whether a single drive, RAID 1, or 
RAID 5, it's no longer working. The server 
and all its contents are gone. What do you 
do besides verify that your resume is on a 
thumb drive in your pocket? 

In reality, this kind of disaster isn't too 
difficult to recover from, because only your 
SharePoint server has crashed. Although 
the SharePoint server is an important cog 
in the SharePoint system, SQL Server is 
equally important, and you can take advan¬ 
tage of your functioning SQL Server system 
to get things back online quickly. You need 
to get a server working, either by getting a 


new server or fixing whatever's broken in 
your existing server, then reinstall Windows 
and get it patched, configured, and joined 
back to your domain. Next, you must rein¬ 
stall SharePoint. After the prerequisites 
are installed and the SharePoint bits are 
installed, you need to run the SharePoint 
Products Configuration Wizard. 

Here's where the real magic happens. 
Instead of building a new SharePoint farm, 
you can simply connect to an existing farm. 
When you're asked which farm to con¬ 
nect to, point the Configuration Wizard at 
your existing SQL Server machine and the 
SharePoint configuration database that 
it contains. Armed with the information 
held in your farm's configuration data¬ 
base, the newly built SharePoint server can 
access your existing web applications and 
start serving them up almost immediately. 
SharePoint uses timer jobs to create the 
environment necessary to serve up your 
content. Your web applications will be 
created in Microsoft IIS with these timer 
jobs. Solutions that were installed in your 
farm will be installed on your new server 
via timer jobs. After the configuration is 
complete, you might have a few small odds 
and ends to clean up, but these tasks are 
minimal considering that you've recovered 
from a complete server failure. 

You'll need to manually restore the 
following, preferably from machine-level 
backups and notes: 

• Any host headers in IIS; SharePoint 
creates only the header that was 
designated when the web application 
was created 

• Any SSL certificates used if your 
SharePoint site uses HTTPS 

• Any files that weren't added to the 
SharePoint root (the 14 hive) with a 
feature or solution (e.g., document 
icons) 


• Any changes that were manually 
made to web.config files, such as 
when configuring Forms-based 
Authentication 

You can probably see a pattern here. For 
the most part, if you didn't make a change 
inside SharePoint, then SharePoint doesn't 
know about the change and you'll need to 
manually redo it. Again, it's a small price 
to pay when recovering from a total server 
meltdown. 

SQL Server crashes. Although a crashed 
SharePoint server might be the low spot of 
your day, it's an easy disaster to recover 
from because most of what makes Share- 
Point so valuable—the contents—is actu¬ 
ally stored in SQL Server. But what happens 
if SQL Server crashes? This type of disaster 
isn't terribly difficult to recover from either, 
as long as you have backups. If SQL Server 
does crash, of course SharePoint won't be 
able to serve any content to your users, 
nor will it be able to provide any sort of 
administrative interface for you either. 
But that's OK, because you won't have to 
focus any attention on SharePoint—your 
recovery efforts will be focused solely on 
SQL Server. 

Servers crash for many reasons, so 
recovery methods vary. Let's start with 
a storage failure. Imagine that your SQL 
Server system itself is fine, but the disks 
it stores your SharePoint databases on 
have failed. This could be a big expen¬ 
sive SAN or NAS device, or it could be a 
couple of internal Serial ATA (SATA) drives. 
SharePoint won't work until you get those 
databases back online. After you've fixed 
the storage issue, restore your SharePoint 
databases to SQL Server. As long as you 
restore the databases with the same names, 
SharePoint should just reconnect to them. 
You might need to reboot your SharePoint 


Remote Blob Storage Affects 
Database Backup 

Microsoft SharePoint Server content resides in your content databases, unless you're using 
Remote Blob Storage. RBS externalizes your content and gets it out of Microsoft SQL Server. 
In such a scenario, SQL Server database backups aren't adequate for disaster recovery. Dif¬ 
ferent vendors implement RBS in various ways. If you decide to use RBS, you should consult 
the vendor for the best way to back up your externalized content. 
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boxes to get everything working, depend¬ 
ing on what state the connections are in. 
A lot of SharePoint processes talk to SQL 
Server, and abruptly severing those con¬ 
nections can make SharePoint unhappy. 
A good cleansing reboot typically removes 
any hard feelings and gets everyone talking 
nicely again. 

What if the storage is fine, but the 
SQL Server system itself crashed? Maybe 
a power supply failed, or even worse a 
motherboard went out. Again, SharePoint 
will be pretty understanding. If you can get 
the server repaired and brought back to its 
former state, then SharePoint will have no 
idea anything happened. Like before, after 
a cleansing reboot, all is forgotten. 

But what if you can't restore your SQL 
Server system to its original state? What if 
the OS drive is destroyed, the power supply 
is smoking, the flux capacitor is no longer 
fluxing, and you need to rebuild the server? 
Or what if the machine that failed was run¬ 
ning Windows Server 2003 and SQL Server 
2005? It seems counterintuitive to reinstall 
those programs in the year 2011. Fortu¬ 
nately, none of that matters to SharePoint. 
If your SQL Server system fails, you can 
replace it with a system that's running a 
shiny new OS such as Windows Server 2008 
R2 SPl and the latest version of SQL Server. 
As long as the new SQL Server instance has 
the same name and the databases have 
the same name, SharePoint won't care at 
all. Once again, a reboot of the SharePoint 
servers and everything is back to normal. 

What if the SQL Server instance can't 
have the same name? Maybe in the time 
since your SharePoint farm's SQL Server 
system was deployed, your company 
invested a lot of time and money into 
a powerful new centralized SQL Server 
system. If your current SQL Server system 
has failed, now would be a great time to 
migrate everything to the new system. 
However, the SQL Server instance names 
are different, and you might be going 
from a default SQL Server instance (just 
the name of the SQL Server system) to a 
named instance (SQL Server system name 
plus instance name, such as sql01\shpt)— 
which further complicates things. This 
scenario might sound scary and impos¬ 
sible, but fortunately it's not. Hidden in the 
SQL Server client in Windows is the ability 
to set SQL Server aliases. This is done at 


a low enough level that the applications 
themselves (in our case SharePoint) don't 
know about it at all. They continue to think 
they're talking to the same SQL Server 
system they always have, but in reality the 
SQL Server alias is sending the traffic to a 
different SQL Server system. 

Are you confused yet? Don't worry; it's 
easier than it sounds. And once you get the 
hang of it, you can use this technique in sit¬ 
uations that are less hectic than complete 
meltdowns. 1 don't have enough space 
in this article to cover SQL Server aliases 
from start to finish, but I'll cover the basics. 
If you want a more detailed description 
of the process, you can follow a step-by- 
step explanation in my blog post "Mov¬ 
ing SharePoint to a different SQL server" 
at www.toddklindt.com/blog/Lists/Posts/ 
Post.aspx?lD=255. 

The highlights of SQL Server aliases are 
that they're a client-side operation; you 
don't need access to the SQL Server system 
at all. On each of your SharePoint servers, 
you set up a SQL Server alias that points to 
your new SQL Server system. To do so, click 
Start, Run and enter cUconfg. Click Add to 
create a new alias. SharePoint uses TCP/IP 
to communicate with SQL Server, so you 
need to select TCP/IP, as Figure 1 shows. 
In the Server alias text box, enter the old 
name of your SQL Server system. This is 
the SQL Server system that SharePoint is 
configured to communicate with. Under 
Connection parameters, in the Server name 
text box, enter the new SQL Server system's 
name. Click OK to finish creating the alias. 
If you're feeling generous, reboot your 
SharePoint servers to recreate all your SQL 
Server connections. If you have multiple 
SharePoint servers in your farm, you need 
to create the SQL Server alias on all of 
them. 


SharePoint 2010 includes a special fea¬ 
ture for environments that use SQL Server 
mirroring. (Later in this article, 1 cover dif¬ 
ferent ways to replicate your databases in 
more detail and explain exactly what mir¬ 
roring is.) For each database in SharePoint, 
you can specify a mirror server. Figure 2 
shows the settings for a content database; 
the other databases have a similar inter¬ 
face. The Failover Server setting is where 
you specify the mirrored instance. If the 
main SQL Server system goes down and 
a mirror instance is defined, SharePoint 
automatically switches over to it. After 
you fix your primary SQL Server instance, 
you can switch back and reconfigure your 
SQL Server mirror. This lets you keep 
SharePoint online during trouble, as well 
as prevents your users from rushing your 
office with pitchforks and torches. 

Facility failures. SharePoint can be very 
resilient if individual pieces fail. But what if 
the entire facility fails? Mother Nature is an 
equal opportunity destroyer. Regardless of 
where your servers are located, there's a 
natural disaster or two waiting to take them 
out. Now that we know how to recover indi¬ 
vidual SharePoint pieces, we can learn how 
to prevent them from all failing at once. 

We do have one more disaster recovery 
trick up our sleeves: SharePoint databases 
are portable between farms. 1 touched on 
this a bit in Part 1, but let's take a minute 
to let it soak in. What this means is that 
if 1 have a SharePoint farm in Iowa and a 
SharePoint farm in Ohio, 1 can back up 
my content databases in Iowa and restore 
them in Ohio. Fortunately, there are no 
federal laws forbidding me from taking my 
databases across state lines. From a disas¬ 
ter recovery standpoint, this is priceless. 
Thus, if a twister rips through Iowa and my 
data center is taken out by a flying cow, 1 



Figure 1: Creating a new SQL Server alias 
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Figure 2: Content database settings 


can quickly get my content back online by 
attaching backups of my databases to my 
farm in Ohio. I discussed this capability 
in Part 1, including how it can be used to 
recover content in another farm. However, 
that's only half the battle. 

With SharePoint 2010, we have an 
increasingly important amount of data in 
our service application databases. The defi¬ 
nitions of our Business Connectivity Ser¬ 
vices connections are stored in the Business 
Connectivity Services database. Our term 
sets are stored in the Managed Metadata 
database. Our tags and notes are stored in 
the User Profile Service's Social database. 
Restoring the content is good, but restoring 
everything is even better. Not only can we 
attach content databases to our recovery 
farm, we can also leverage some of our 
service application databases. That process 
isn't as smooth as attaching content data¬ 
bases, but it's not too bumpy. Essentially, 
you need to create a new service applica¬ 
tion and point it at the restore databases 
from your failed farm. When SharePoint 
creates the new service application, it will 
look to see if a database with the name you 
specified exists. If it does, instead of creat¬ 
ing a new database, SharePoint will use the 
existing one instead. This process works 
with the following service applications: 

• Managed Metadata 

• Business Connectivity Services 

• User Profile Service—Only supported 
for Social and Profile databases; create 
a new Sync database when attaching to 
the existing Social and Profile databases 

• Secure Store—You must enter the key 
from your old farm before the new 
Secure Store service application can 
mount your database 
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• Some service applications (e.g.. Excel 
Service) don't have databases, so we 
don't have to worry about them at 
all; other service applications have 
databases (e.g.. Search) that don't 
support being attached to a different 
farm 

To use a recovery farm, you must ensure 
that the farm is at the same build level or 
later as the farm the databases came from. 
If you're not sure which build number 
matches which patch, you can consult 
my blog page for a list of SharePoint 2010 
build numbers (www.toddklindt.com/ 
blog/Lists/Posts/Post.aspx?ID=224). 

When disaster strikes, you can take the 
backup copies of your service application 
databases and recover them to your recov¬ 
ery farm's SQL Server instance. Then, you 
can create the service applications that cor¬ 
respond to your recovered databases. If the 
recovery farm already has a particular ser¬ 
vice application, you can either delete and 
recreate it or create a second instance. You 
also need to attach your content databases. 
Eor more information about renaming 
and moving databases, see the Microsoft 
TechNet articles "Rename or move ser¬ 
vice application databases (SharePoint 
Server 2010)," at technet.microsoft.com/ 
en-us/library/ff85I878.aspx, and "Plan 
for availability (SharePoint Server 2010)," 
at technet.microsoft.com/en-us/library/ 
cc748824.aspx. 

Planning Ahead 

Although I discussed the necessity of get¬ 
ting copies of your databases to the recov¬ 
ery farm, I didn't explain exactly how to 
do so. Any method that replicates SQL 


Server databases will work; the method 
you use depends on a lot of factors. The 
most important factor is probably cost. 
High-availability options such as mirror¬ 
ing require additional SQL Server licenses 
and time to configure. However, you get 
a lower RTO and RPO for that extra cost 
and effort, as well as better business con¬ 
tinuity. Database mirroring is SQL Server 
functionality that mirrors changes made 
to a database on one SQL Server system to 
a corresponding database on another SQL 
Server system. SQL Server performs this 
function by copying the transactions from 
your primary instance and applying them 
to your mirrored instance. This process 
keeps your instances in step and reduces 
the chance that you'll lose data if your 
primary SQL Server system crashes. The 
mirroring options you have vary by which 
version of SQL Server you're running. 

If your business doesn't have the need 
or funds to implement mirroring, you can 
also use transaction log shipping to another 
SQL Server instance. Then, in the case of a 
disaster, you can restore your database and 
transaction log backups to your recovery 
SQL Server instance. After your SharePoint 
installation is back online, you can use a 
SQL Server alias to point your SharePoint 
farm at the new SQL Server instance. If 
you don't have transaction log backups to 
restore, your recovery instance could just 
be populated with your last database back¬ 
ups. Of course, this all depends on your 
defined RPO. The point is that however you 
decide to back up your databases, Share- 
Point can work with your method. 

SharePoint is a complicated beast, and 
when things go wrong, they can go spec¬ 
tacularly wrong. The good news is that even 
if SharePoint does turn on you and try to 
destroy all your data, getting it back might be 
easier than you imagine. If you're proactive 
and have good backups of your databases, 
as well as the discipline to test them, you'll 
probably be able to recover from anything 
SharePoint can throw at you. 
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■ NEW & IMPROVED 

■ Systems Management ■ Unified Communications 

■ Thin Client ■ Security 



HP Announces HP t5740e 
Thin Client 

HP has announced its first thin client 
featuring WES7 SP1 with RDP 7.1 to enable 
RemoteFX, the HP t5740eThin Client. 
Through a software-based implementa¬ 
tion, integrating Microsoft RemoteFX (RFX) 
technology lets the HP t5740eThin Client 
deliver a "local-like" user experience for 
Microsoft Remote Desktop Services Ses¬ 
sion Host desktop and 
virtual desktop infrastruc¬ 
ture customers. Remote 
workers can access any 
type of application or 
screen content, including 
rich media and 3D appli¬ 
cations. The t5740e Thin 
Client also supports local 
applications and a full 
browser. To learn more, 
visit www.hp.com. 


Auslogics Software 
Releases Disk 
Defrag 3.2 

Auslogics Software has 
released Disk Defrag 3.2, 

the latest version of its 
free disk defragmenta¬ 
tion and optimization 
tool. According to the 
vendor, the product "uses 
advanced algorithms 
that turn the tool into a 
comprehensive hard drive 
defragmentation and 
optimization solution. All 
this makes Disk Defrag one of the most 
popular and trusted disk defragment¬ 
ers available today."Version 3.2 offers 
improved defragmentation and free space 
consolidation algorithims, improved 
usability, GUI enhancements, a more 
detailed drive map, and enhancements to 


auto-defragmentation and scheduling. To 
learn more, visit www.auslogics.com. 

Broadcore Expands Cloud-Based 
Offering with Video Bridging 

Broadcore has added video bridging to its 
cloud-based telephony services. In addi¬ 
tion to video conferencing, video bridging 
allows users to connect with and view 
multiple people simultaneously. Features 
of the video bridging include the ability to 
make voice or video calls from the same 
device, HD audio for all calls, access code 
and password requirements for video 
bridge calls, no need for hardware, and a 
scalable service in terms of meeting size 
and call frequency. To learn more, visit 
www.broadcore.com. 

BeyondTrust Introduces 
PowerBroker Desktops 5.0 

BeyondTrust has announced Power 
Broker Desktops 5.0. New features include 
automatic rule generation to eliminate 
administrator privileges from users, updates 
to item-level targeting to match Microsoft 
Group Policy preferences, a new wizard 
for creating rules, a new rule to target an 
application for elevation rules, the ability to 
group rules, a library of over 100 rules, a new 
dashboard, and expanded wildcard use.To 
learn more, visit www.beyondtrust.com. 
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LabTech Software Releases Remote 
Monitoring and Management 


LabTech Software has announced the 
release of LabTech 2011, with new 
features and enhancements highlighting 
LabTech's commitment to the channel. 
Features of the solution include remote 
desktop, monitoring, trouble ticket track¬ 
ing, user information, and support and 
software management. 

New features include: SNMP discov¬ 
ery, detection, and collection; custom 
alerts; heads-up displays; a LabTech 
Marketplace to download updates, 
reports, and more; mobile updates; 
greater control over recurring main¬ 
tenance; a new Patch Manager that 
brings all hotfix patches to a centralized 
location; the ability to Telnet from any 
LabTech agent to any IP address and 
keep the session open to make calls to 


it; and integration with ConnectWise 
PSA software. 

"The release of LabTech 2011 intro¬ 
duces many new innovations to help IT 
solution providers better manage and 
automate their businesses," said LabTech 
Software CFO Matt Nachtrab."One of the 
most powerful features in this release is 
the new LabTech probe with its SNMP 
discovery, detection, and collection capa¬ 
bilities. LabTech 2011 and future releases 
are all about helping today's IT solution 
providers implement powerful, robust 
automation solutions using a simple, easy- 
to-use management interface." 

You can download a free trial of 
LabTech 2011 to test the software for 
yourself. To learn more, visit www 
.labtechsoftware.com. 
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NEW & IMPROVED* 



Norton Internet Security 2012 Beta 
Available 

Norton by Symantec has released the 2012 
beta versions of Norton AntiVirus and 
Norton Internet Security, which are now 
available for free download. Improvements 
include performance enhancements and 
security updates, such as the ability to 
assess the safety and stability of an applica¬ 
tion before installation. The new betas also 
offer Insight 3.0, which is the latest version 
of Norton's reputation-based security tech¬ 
nology, which identifies and blocks new 
malicious software based on the adop¬ 
tions patterns of Symantec users. They also 
include SONAR 4.0 behavioral protection, 
which monitors running applications for 
suspicious behavior. To download the 
betas, visit www.norton.com/nis2012beta 
or www.norton.com/nav2012beta. 

Forum Systems Announces Unified 
Content Firewall 

Forum Systems has announced the next 
generation of Web App Firewall. WAF 
unites threat protection, scalability, and 
the Federated Identity capabilities of an 
XML Gateway within one firewall. WAF is 
able to enforce decisions across identity 


tokens and repositories, delivering content 
without requiring multiple sign-ins. The 
product is also able to support, secure, and 
scale both FITML and XML data patterns. 
Other features include authentication and 
authorization for SAML-based token types, 
RegEx and other common filter policies, 

PKI management, SSL termination, and 
auditing and compliance reporting. To 
learn more, visit www.forumsys.com. 

PacketSentry Appliance Gives 
Control Across VMware 

PacketMotion has announced the release 
of the PacketSentry Virtual Probe, which 
extends PacketMotion's comprehensive 
security solution to virtual and cloud envi¬ 
ronments. Applications monitored include 
databases, fileshares, web applications, and 
document management, among others. 
According to the vendor, the appliance can 
implement multiple controls in a single 
application, run as a guest VM that con¬ 
sumes 3-5 percent of the host's CPU, reacts 
to transaction patterns without the need to 
know specific IP addresses, and automates 
deployment of identity-based policy in 
the virtual data center. To learn more, visit 
www.packetmotion.com. ^ 
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Paul’s Picks 


WWW.W1nsupersite.com 



SUMMARIES of in-deptl 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 


Microsoft's Skype Acquisition 

PROS: Provides Microsoft with a solid 
consumer brand; Skype's peer-to-peer (P2P) 
technologies don't overlap with Microsoft's 
existing communications solutions 

CONS: Existing Microsoft technologies already 
offer much of the functionality of Skype; it 
seems like Microsoft paid a premium price 

RATING: ♦♦♦00 

RECOMMENDATION: When Microsoft 
announced its intention to purchase Skype for 
a blockbuster $8.5 billion in cash, it sent shock 
waves throughout the tech industry. But what 
does this really mean? First, Skype has a killer 
brand. Second, it keeps Skype out of the hands 
of Facebook and Cisco. And finally, while Micro¬ 
soft's communications functionality requires a 
client-server architecture, Skype's is a pure P2P 
solution. Will this deal pass regulatory muster? 
For now, call me cautiously optimistic. 

CONTACT: Microsoft • www.microsoft.com 
DISCUSSION: http://bit.ly/IOWwmU 

Windows Thin PC 

PROS: Another option for bringing Windows 7 
capabilities to environments with older PCs 

CONS: Requires server infrastructure and 
Software Assurance (SA) licensing 

RATING: ♦♦♦00 

RECOMMENDATION: Windows Thin 
PC (WTPC) is a replacement for Windows 
Fundamentals for Legacy PCs (WinFLP). It 
lets enterprises repurpose aging Windows 
XP-based PCs as Windows 7-based thin clients. 
Essentially a stripped down and embedded 
version of Windows 7, WTPC is compatible with 
the same hardware and software. But WTPC can 
be locked down, making it ideal for educational 
and kiosk environments as well as corporate 
settings. It requires a Windows Server 2008 
R2 SP1-based infrastructure and utilizes that 
system's RemoteFX capabilities to provide 3D 
graphics, including the Aero glass Ul.The client 
requirements are low-end: a 1 GHz or faster 
CPU (32-bit or 64-bit), 1GB of RAM, just 16GB 
of available hard drive space, and a bootable 
DVD drive. Does Windows Thin PC make a lot of 
sense? For some, sure. But it's not for everyone. 

CONTACT: Microsoft • www.microsoft.com 
DISCUSSION: http://bit.ly/iXi6WN and http:// 
bitly/lyLaMI 
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Congratulates the 
Winners of 

Best of Tech*Ed 2011 by Jason Bovberg 


In downtown Atlanta, 
we narrowed an 
impressive field of more 
than 300 submissions 
down to 15 winners 


M icrosoft Tech«Ed took place in Atlanta this year—and a month earlier 
in the year, avoiding the oppressive heat that afflicted last year's humid 
New Orleans event. The Best of Tech»Ed Award awards recognize 
Microsoft partners that offer innovative products and services in the 
marketplace. Our judging panel narrowed an impressive field of more 
than 300 submissions down to 46 finalists in 16 categories. Onsite in 
Atlanta, the team interviewed the finalists and evaluated the products to determine a 
final list of winners. Show attendees also cast their votes to determine the winner of the 
prestigious Attendees' Pick Award. It was a fun week, capped off with a wonderful awards 
party at the aquarium. Congratulations to our 2011 winners! 


Backup/Recovery 

CommVaultSimpana 9 

Simpana has evolved into a comprehensive, one-stop suite of data-protection function¬ 
ality, and version 9 brings an impressive array of new features to the table, including 
"universal de-duplication," snapshot protection, and fast-migration options—as well as 
smooth Exchange/SharePoint and VMware/Hyper-V virtualization integration. 


Business Intelligence 

ComponentOne OLAP for Silverlight 



OLAP for SilverLight enables you to create interactive reports, charts, pivot tables, and 
dashboards. Custom end-user views can be persisted and reports can be distributed as 
PDEs. This product fills an important need by bringing OLAP 
data-analysis capabilities to businesses without the need for 
complex B1 infrastructures. 


CommVault takes the prize 


Database Development 

Red Gate SQL Developer Bundle 

DBA Developer Bundle is an essential collection of 10 SQL 
development tools, including SQL Prompt (which helps you 


Database Administration 

Idera SQL toolbox 

Idera SQL toolbox is a powerful collection of database-man¬ 
agement tools that perform system monitoring, diagnostics, 
and troubleshooting. SQL toolbox includes: the SQL admin 
toolset, SQL comparison toolset, SQL safe lite, and SQL virtual 
database. One feature that sets Idera's SQL toolbox apart is its 
SQL doctor feature. 
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BEST OF TECH.ED 2011* 


write T-SQL scripts), SQL Source Control 
(which facilitates teams development), SQL 
Compare and Data Compare (which com¬ 
pare and synchronize databases), and SQL 
Search (which locates database objects). 

Hardware/Storage 

Cisco Unified Computing System B250 
M2 Blade 

Cisco UCS is a high-density, highly scalable, 
awesomely powerful network, compute, vir¬ 
tualization, and management backbone that 
re-architects the notion of the blade chassis. 
The B250 M2 Blade exemplifies Cisco's 
ubiquitous nature in the server room. 

Messaging 

Messageware OWA Desktop 

OWA Desktop is the first desktop client 
for Microsoft Outlook Web Access (OWA), 
bringing web mail functionality to the 
desktop with a thin client. The product's 
small footprint, time-saving features, and 
low cost make it stand out. 


smartphones and tablets they have to 
manage. 

Networking 

Spiceworks 

Combining network, PC, and Help desk 
management with a robust online com¬ 
munity, Spiceworks has become a one-stop 
resource for 1.7 million IT professionals. 

Security 

Accellion Secure Collaboration 

Accellion Secure Collaboration integrates 
seamlessly with your existing IT environ¬ 
ment and makes secure file transfer a 
point-and-click affair. 

SharePoint Administration 

Colligo Networks Contributor Pro 

Contributor Pro aims to extend SharePoint's 
collaboration and content-management 
features. Its emphasis on increasing user 
adoption of SharePoint and on metadata 
management simplifies SharePoint. 


developers to build WinForm, ASP 
.NET, WPF, and SilverLight applications. 
DXperience includes all of the company's 
U1 controls, as well as the Object Relational 
Framework and productivity tools. 

Systems Management/Operations 

Specops Deploy 4.2 

SpecOps Deploy rises to the top of the 
software-deployment field, handling the 
entire range of software deployment, from 
simple user self-service to unattended 
re-imaging of an entire department of 
computers. 

Virtualization 

CitrixXen Desktop 

XenDesktop manages desktop virtualiza¬ 
tion. It handles both VDl and application 
virtualization. The product's longstanding 
reputation as a leader in desktop virtual¬ 
ization and its commitment to keeping up 
with the latest trends and platforms make 
it a clear leader in virtualization. 


Microsoft 

Windows Intune 

Windows InTune makes system manage¬ 
ment easy. Companies of all sizes can begin 
managing their clients in hours rather than 
weeks or months. Windows InTune will 
change the way we manage everything. 

Mobile/Wireless 

Odyssey Athena for Configuration 
Manager 5.0 

Athena is a mobile device management 
product that integrates with System Center 
Configuration Manager to provide admin¬ 
istrators a "single pane" view of all the 


SharePoint Development 

K2/SourceCode K2 blackpearl 

K2 blackpearl is a business process man¬ 
agement solution for SharePoint that lets 
you automate and streamline business pro¬ 
cesses including workflows. It's a Silverlight- 
based solution that offers three design 
environments in which devs, admins, and 
power users can create SharePoint work- 
flows, processes, and applications. 

Software Development 

DevExpress DXperience Universal 

DXperience Universal is an enterprise- 
level component suite that enables 



Xiotech makes a splash at the show 


Cloud Computing Product/Service 

Windows Intune 

Windows InTune is a major milestone for 
Microsoft and the avatar of a new category 
of products: management as a service. Take 
note of this product! It's a herald of things 
to come from Redmond. 

Breakthrough Product 

Xiotech Hybrid ISE 

The Hybrid ISE Storage Blade is a high-per¬ 
formance storage device that fuses tradi¬ 
tional hard disk drives and SSDs to provide 
more than 60,000 input/output operations 
per second (lOPS), as well as a stun¬ 
ning 14.4 terabytes of usable capacity. The 
Hybrid ISE wins the coveted Breakthrough 
Product of the Year thanks to its patented 
Continuous Adaptive Data Placement 
(CADP) feature, which moves data from 
hard disk to SSD on an as-needed basis, 
avoiding hot spots and providing unprec¬ 
edented performance. 

Attendees'Pick 

Xiotech Hybrid ISE 

Congratulations to Xiotech for capturing 
the Attendees' Pick award! This is one 
stylish, powerful, revolutionary piece of 
technology. ^ 
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■ REVIEW 

PowerGUI Pro 2.4 



When I do a review, I always try to 
explore an angle on a product that 
hasn't been taken before—so it would 
be pointless for me to say that Quest's 
PowerGUI Pro is a great tool for systems 
administrators who want to get started 
using PowerShell (even though it is). 
Instead, I approached this product from 
the other side, asking myself, "What if 
I were already a PowerShell rock star? 
What benefit would PowerGUI provide?" 

PowerGUI's requirements are fairly 
minimal: 1GHz or better processor, 1GB 
of RAM, and any OS configuration that 
supports PowerShell 2.0. Other prereq¬ 
uisites depend on what you want to do 
with the product. For example, if you 
want to manage Microsoft Exchange 
Server 2007, you must have Exchange 
Management Shell (EMS) installed. 

Assuming that you already know 
PowerShell inside and out, let's take a 
look at what PowerGUI Pro can do for 
you. PowerGUI is a graphical wrapper for 
your PowerShell scripts. If your organiza¬ 
tion is anything like mine, there's one 
lone PowerShell guy in the whole com¬ 
pany (i.e., me) who is required to create 
scripts for procedures and is tasked with 
encouraging adoption of these meth¬ 
ods. In such a scenario, if the people 
whom you need to use the scripts have 
PowerGUI installed, you can easily plug 
in your script and in a few minutes have 
a GUI front end for it. 

The other side of PowerGUI Pro is the 
PowerGUI Pro Script Editor. This script 
editor is a huge improvement over the 
Integrated Scripting Environment (ISE) 
that ships with PowerShell 2.0. The inline 
auto-suggestion (think IntelliSense) of 
cmdiets and properties is top-notch, and 
there's even an autosave feature. 

Usually, I wouldn't be excited about 
autosave, but I was recently working 
on a rather large script (more than 900 
lines) and left my desk for a few minutes, 
at which point Microsoft System Center 
Configuration Manager's (SCCM's) auto¬ 
matic updates launched and rebooted 
my machine—which caused me to 
lose an entire day's work. When the 
same situation occurred after I installed 


Figure 1: Preinstalled PowerGUI Pro nodes 

PowerGUI Pro, the software's autosave 
did its job beautifully. 

PowerGUI also includes several small 
but intuitive features that make the 
PowerGUI Pro Script Editor seem more 
like a complete development environ¬ 
ment than a scripting tool. Multi-line 
commenting, the ability to select from 
and insert PowerShell and Visual Basic 
(VB) snippets, and built-in mouse-over 
help for cmdiets are features that have 
saved me an average of 45 minutes per 
day. Debugging is also available, as is a 
list of your variables. 

When you install and run PowerGUI, 
you'll notice that the product is already 
prepopulated with some nodes. As 
Figure 1 shows, PowerGUI includes 
support for Active Directory (AD) and 
Exchange by default. PowerGUI has a 
large and active online community, 
and there are PowerPacks (add-ons 
for PowerGUI that the online commu¬ 
nity has created) for just about every 
PowerShell-enabled product you can 
imagine, as well as some products 
that don't have a native PowerShell 
environment. 


PowerGUI Pro has an online price of 
$199. In a business environment, this 
tool is well worth its price. Even in these 
cost-cutting times, justifying the cost of 
PowerGUI is easy. My reasoning is that 
even though I can use PowerShell to 
eliminate much of the cost of custom 
development for certain applications 
internally, PowerGUI Pro gives my 
custom scripts the look and feel neces¬ 
sary to make users comfortable using 
them. 

InstantDoc ID 136009 

PowerGUI Pro 2.4 

PROS: Cost-effective; easy to install and use; 
removes barriers to implementing in-house 
PowerShell solutions 

CONS: None to speak of 

RATING: 

PRICE: $199 per installation 

RECOMMENDATION: Get it, and use it. I've 
become addicted to PowerGUI Pro, especially the 
PowerGUI Pro Script Editor. 

CONTACT: Quest Software • 800-306-9329 • 
www.quest.com 


♦ 

’ Ryan Periling | ryan@palador.com 
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Object Life Cycle Management 
Tools for Active Directory 

Eliminate the inconvenience of manually creating, modifying, and deleting 
Active Directory objects with these automated management tools 

by Sean Deuby 


Editor's Note: Information in this buyer's guide comes from 
vendor representatives and resources and is meant to jumpstart, 
not replace, your own research; also, the table isn't necessarily 
comprehensive, as some products might have been left out due to 
lack of vendor response. 

A ctive Directory (AD) management falls into two cat¬ 
egories: service management and data management. 
Service management is the care and feeding of the 
AD service itself—the domain controllers (DCs), the 
logical AD structure and directory partitions, and rep¬ 
lication between DCs. AD data management is about 
how you fill this empty shell of a directory with security principals: 
users, computers, and groups. It's about how you manage these 
objects, using tools such as Group Policy. And finally, it's about 
how you maintain the life cycle of these objects. For example, is 
this computer object obsolete? Should this group continue to exist? 
Is this group owner still correct? Should this user still exist, and is 
its group membership current? 

Object life cycle management in AD is a neglected practice. IT 
shops of all sizes are very focused on the beginning of object life 
cycle management—for example, creating users and assigning 
them to groups, so that those users can quickly become produc¬ 
tive. After users are active, stages of object life cycle management 
include creating new groups when projects and organizations 
change and removing users and groups when they no longer 
require access. 

One of ad's main functions is to seamlessly connect users to 
the resources they need. The first two phases of an object's life 
cycle, creation and modification, are driven by this clear busi¬ 
ness need of putting users and resources together. Where most 
home-grown object management fails, however, is the last phase 
of the life cycle: getting rid of what should no longer be there—for 
example, user accounts that should be disabled or removed, secu¬ 
rity groups that have incorrect membership (or no membership at 
all) or an obsolete manager, and computer objects for computers 
that no longer exist. This tends to be a problem because, unlike in 
the phases of creating and modifying objects, there's no immedi¬ 
ate business need that drives cleanup. As a result, large enterprises 
can easily have tens of thousands of security groups—and trying to 
manually keep them accurate is impossible. 

This is where AD tools that specialize in managing users, 
groups, and computers come in. These tools can save a company 


a great deal of time and money by automating the creation, modi¬ 
fication, and deletion of AD objects. In addition, AD management 
tools provide benefits by ensuring that object attribute formats 
(e.g., naming standards, telephone numbers) are consistently 
enforced across the forest. This makes life easier for downstream 
applications that pull identity information from AD. 

How might you justify such a utility? Security can be a big 
driver for this kind of tool because these tools help minimize risks 
from stale users and groups. Attestation (the process of verifying 
the need and configuration of a security principal on a regular 
basis) ensures that a group keeps up with its need and is removed 
when the need is gone. For example, with these tools, you'd want 
to immediately enable attestation for all groups that have elevated 
rights in AD so that any employees who leave the team are quickly 
removed. Attestation workflows are important object life cycle 
management components, and about half the products in this 
buyer's guide include these workflows. 

Another important security driver is change auditing. When 
combined with reporting capabilities and the enhanced auditing 
capabilities in Windows Server 2008, tools that provide change 
auditing can tell you what changed in your directory, when it 
changed, and who changed it. This points to another strength 
of these tools: compliance. The need to comply with govern¬ 
ment requirements alone can justify your purchase. Sometimes, 
justification is as simple as proving that purchasing a utility with 
efficient or self-service password reset capabilities will save money 
compared with the Help desk overhead and lost productivity of a 
manual reset process. Other features that might be important to 
you are synchronization with other directory services, both on 
premises and in the cloud (i.e., Microsoft Office 365), sophisticated 
Group Policy management, and AD object recovery. 

AD obj ect management tools are a necessary add-on for any mid¬ 
sized to enterprise-level business. The labor savings they generate 
and the security and compliance needs they meet will quickly repay 
their investment. See the buyer's guide table for a summary of AD 
obj ect management tools, including their most useful features. 
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•OBJECT LIFE CYCLE MANAGEMENT TOOLS 


Company 

Product 

Pricing 

OSs Supported 

Change Auditing 
Support 

Automated 

Reports 

Report Formats 

Blackbird Group 

866-224-8330 

www.blackbird-group.com 

Blackbird Group 
Management Suite 
for Active Directory 

$14.40 per user 

Windows Server 2003 
and later 

Yes 

Yes 

CSV, PDF 

CionSystems 

425-605-5325 

www.cionsystems.com 

Active Directory 
Manager 

$10.50 per active 
AD user per year 

Server 2008/2003/ 

2000 

No 

Yes 

CSV, DOC, HTML, 

LDIF, XLS 


Cloud Identity 
Management Tool 

From $12 to $24 
per active AD 
user per year 

Server 2008/2003 

Yes 

Yes 

N/A 

Ensim 

408-496-3700 

www.ensim.com 

Ensim Unify 
Enterprise 

$12 per user for 
a standard single 
user license 

Server 2008 R2/2008/ 
2003) 

Yes 

Yes 

CSV, configurable 
for other output 
formats as required. 

Imanami 

925-371-3000 

www.imanami.com 

GroupID 

Contact vendor 

Windows XP, Server 

2008 R2/2008/2003 

Yes 

Yes 

PDF, XLS 

NetWrix 

888-638-9749 

www.netwrix.com 

NetWrix Enterprise 
Management Suite 

Starts at $22 per 
enabled AD user 

Windows 2000 and 
later 

Yes 

Yes 

DOC, HTML, 

PDF, XLS 

Quest Software 

800-306-9329 

www.quest.com 

Quest ActiveRoles 
Server 

Starts at $25 per 
enabled user 
account 

Windows 7/Vista, 

Server 2008 R2/2008 

Yes 

Yes 

CSV, MHTML, 

PDF, TIFF, XLS, 

XML 

Softerra 

800-277-5871 

www.softerra.com 

Adaxes 

Starts at $1,200 

Windows 7/Vista/XP, 
Server 2008 R2/2008/ 
2003 

Yes 

Yes 

CSV, HTML, vCard 

Tools4Ever 

888-770-4242 
w w w.too 1 s4e ve r.co m 

User Management 
Resource Admin¬ 
istrator 

Between $2 and 
$15 per user 

Windows 2000 and 
later 

Yes 

Yes 

CSV, HMTL,TXT 

Zeva 

888-938-2462 

www.zevainc.com 

GroupLocker 

Between $0 and 
$5,000 

Windows 7/Vista/XP, 
Server 2008/2003 

Yes 

No 

N/A 

ZOHO 

888-720-9500 

www.manageengine.com 

ManageEngine 
ADManager Plus 

Standard version 
starts at $495 for 
one domain and 
two Help desk 
technicians 

Windows 7/Vista/XP, 
Server 2008 R2/2008/ 
2003/2000 

No 

Yes 

CSV, CSVDE, 

HTML, PDF, XLS 
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Supports 
Group Policy 
Auditing 

Support for 

Real-Time 

Events 

Schedule 
Tasks 
for Add/ 
Remove 
Objects 

Bulk 

Security 

Principal 

Management 

Capabilities 

Attestation 

Workflow 

Support 

OU-Based 

Adminis¬ 

tration 

Backup and 
Restore AD 
Objects/ 
Group 
Policies 

Provides 

Templates 

for 

Permissions 

Product 
Synchronizes 
Data from 

Support for 
Temporary 

User Manage¬ 
ment/Group 
Management 

SOX 

Compliance 

Capabilities 


No 

Yes 

No 

No 

No 

Yes 

Yes/Yes 

No 

SQ Server 

No/No 

Yes 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/No 

Yes 

LDIF 
intercae, 
custom DLL 

Yes/Yes 

Yes 


No 

No 

Yes 

Yes 

Yes 

No 

No/No 

No 

from on 
premise to 
Microsoft 

BPOS cloud 

No/No 

Yes 


No 

No 

Yes 

Yes 

No 

Yes 

No/No 

Yes 

SQL Server, 
Oracle, any 
ODBC compli¬ 
ant database 

Yes/Yes 

Yes 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

No/No 

No 

SQL Server, 
Oracle, AD 

No/Yes 

No 


Yes 

Yes 

No 

Yes 

No 

Yes 

Yes/Yes 

No 

N/A 

No/No 

Yes 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

No/No 

Yes 

SQL Server, 
Oracle, SAP, 
PeopleSoft, 

SaaS OnLine 
systems 

No/Yes 

Yes 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/No 

Yes 

SPML Provider 

No/No 

Yes 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/No 

Yes 

SQL Server, 
Oracle, CSV, 
LDAP, File¬ 
Maker Pro, 
UniData 

Yes/Yes 

Yes 


No 

Yes 

Yes 

Yes 

No 

Yes 

No/No 

No 

AD user's 
and contact's 
attributes 

No/No 

No 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

No/No 

Yes 

AD 

No/No 

Yes 


Buyer's guide table compiled by Blair Greenwood. 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


JULY 2011 63 




Ffentoa Marketing Services 


WE KNOW YOUR CUSTOMERS 


powered by 


'eyetraffic 




Do you know what is being said 
about your company online? 

DO YOU KNOW WHAT IS BEING SAID ABOUT 
YOUR COMPETITION? 

We do. 


Do you have time to warm 
prospects towards a sale? 

DO YOU HAVE THE RESOURCES TO RESPOND 
QUICKLY TO PROSPECT BEHAVIOR? 

We do. 



Announcing, smart marketing 
for the technology industry. 


We target the tough questions. 


lil^ndowsITPro 

SjUiSERVER 


SharePdihtPro 

connections 


Penton Marketing Services offers a full range of 
marketing products that leverage our deep industry 
knowledge and customer relationships. From 
product launch to the final sale—put our years of 
experience to work for you. 


DevProConnections 

Si^^iNctwork 


FOR MORE INFORMATION: 

PentonMarketingServices.com 


800 553 1945 
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INDUSTRY BYTES ■ 

■ Backup and Recovery ■ IT Sprawl ■ Mobile Security 


INSIGHTS FROM THE INDUSTRY 


Make Sure You Can Access Your Data 10 Years From Now 


In February, a small percentage of Gmail 
users had been logging on to their 
accounts and finding them empty. The 
good news was that the email was never 
lost—thanks to that old, faithful storage 
medium called tape. The truth is, the 
demise of tape has been greatly exagger¬ 
ated. In fact, many argue that there's just 
no better way to store "Big Data." 

According to Matt Starr, Spectra Log¬ 
ic's CTO, the amount of data stored on 
tape continues to surge, as massive and 
growing digital archive demands compel 
users to seek practical and economic 
ways to address escalating data volumes. 
Spectra Logic expects worldwide tape 
archive capacity to grow more than six 
fold over the next five years—from just 
under 13 exabytes in 2010 to over 81 
exabytes by 2015, driven by both new 
digital content and extended storage 
timelines. 

"Eighty percent of the world's data is 
stored on tape, and tape is the only media 
that can scale to exabyte(s) and still be cost 
effective," wrote Starr in a recent article. 
"Tape storage is denser than disk storage, 
costs less up-front, and is 10 times less 
expensive to operate over time than a disk- 
based solution. I'm not implying that disk 
does not have a play in the Big Data world; 
it is just not well suited as the 'meat' of a 
storage environment." 

But what about ensuring the integrity 
of data stored on tape for long periods of 
time—say, three, five, or even ten years? 

To that end. Spectra Logic has announced 
that it is offering free data integrity verifica¬ 
tion across its complete line of T-Series 
tape libraries from small to medium-sized 
business (SMB) to enterprise. Spectra's 
BlueScale Data Integrity Verification 
for tape libraries is an industry first and 
an important long-term data reliability 
feature that ensures data written to tape 


is retrievable now and for years into the 
future. With Data Integrity Verification, 
Spectra's tape libraries are the only tape 
storage systems on the market today that 
actively, automatically check the media 
and the data on tape throughout the stor¬ 
age life of the data. 

Data Integrity Verification is a new 
feature available in BlueScale 11.3, which 
powers Spectra Logic's line of tape librar¬ 
ies. Spectra Logic's Data Integrity Verifica¬ 
tion improves system availability and data 
integrity by proactively performing back¬ 
ground read verification passes of the tape 
media on a scheduled basis and reporting 
potentially latent failures. 

Spectra's Data Integrity 
Verification includes three 
levels of fully automated 
validation: 

1. ProScan—Checks 
newly imported tapes to 
ensure they are ready to 
use (e.g., in good health, 
generationally compat¬ 
ible, and not write- 
protected). 

2. QuickScan— 

Quickly verifies the 
backup and archive data 
was successfully written 
to tape with a rapid single 
pass from the beginning 
of the tape to the end of 
the first track. 

3. PostScan— 

Automatically verifies the 
physical tape cartridge 
and the integrity of all 
of the data stored upon 
it. As with ProScan and 
QuickScan, the PostScan 
process is performed by 
the library and is inde¬ 
pendent of the backup 


application normally used to read and 
write data to the tape." 

Full enterprise-class capabilities including 
Data Integrity Verification are available 
immediately at no additional charge on 
all Spectra Logic tape libraries, including 
the Spectra T50e and T120, the Spectra 
T-Series Mid-Range T200, T380 and T680, 
and the enterprise-class T950 and T-Finity. 
These capabilities are part of Spectra 
Logic's BlueScale 11.3 management soft¬ 
ware, which powers Spectra's full line of 
tape libraries. 

—Jason Bovberg 
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WEB HOSTING. TWICE AS SECURE 



1&1 DUAL H 


Double Security, Double Reputability: 


No one can afford downtiine of their website... 

1&1 is ROW offering dual hosting for the ultimate security of your websitej 
Your website is hosted in two different locations in our data center. 

If the first location is unexpectedly interrupted, your site will automatically 
continue running in the second location - without any data loss. 


united 

internet: 
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No other web host offers as much expert!se^ 
know-how and quality as 1&1: 

1&1 combines over 20 years of web hosting experience with the latest technology 
in our high-speed and high-performance American data center. More than 1,000 IT 
professionals will continue to develop our top performance web solutions for years to 
come. NEW: 1&1 is pleased to offer double security for your website with 
Dual Hosting! All at unbeatably low prices! 


NEW! 

1&1 DUAL UNLIMITED 

■ 3 FREE Domains 

■ FREE Private Domain Registration 

■ UNLIMITED Web Space 

■ UNLIMITED Traffic 

■ UNLIMITED FTP Accounts 

■ UNLIMITED E-mail Accounts (2 GB) 

■ UNLIMITED Mailing Lists 

■ 20 Microsoft® SQL Databases 

■ ASP. .NET, AJAX, LINQ, PHP, Per!, SSI 

■ GeoTrust® Dedicated SSL Certificate 

■ NEW! 1&1 SiteAnalytics 
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Double Security: 
1 Dual Hosting 





1-877-GO-1AND1 www.l an d1.com 

□ 1-855-CA-1AND1 www.1and1.ca 


■ 99.99% Uptime 

■ 24/7 Toll-free Customer Support 

1&1 DUAL 

UNLIMITED 

$Q 

per month* 

(36 month term) 

$1199/month {24 month term) 
$12.99/month (12 month term) 

$13 JWmonth (3 month term) 


99 


Please see following page for more 
1&1 DUAL HOSTING packages. 


1&1 


Visit www.’taffdt.com for full pfomotEonal offer details. Program and pricing specificatioos and availability subject to change without notice. 1S1 and the tSI logo are trademarks of 1&1 Internet AG. 
all other trademarks are the property of their respective owners. 6 2011 1&1 Internet, Inc. All rights reserved. 














Introduction to Mobile Security Risk Management 


Chances are, your company is already man¬ 
aging mobile devices in some way. But, do 
you have any risk management policies or 
best practices in place? More likely, it was 
simply a situation where the business said, 
"We need this. Make it work." 

I spoke with Jeremy Allen, principal 
consultant with the Intrepidus Group, a 
consulting firm that specializes in mobile 
security. We discussed the steps to making 
wise decisions about mobile device man¬ 
agement (MDM) based on risk manage¬ 
ment and strategy. To start, there are three 
questions companies should ask about 
device management. 

7. What data is going to be available 
on the devices? This is a balance between 
what level of data availability is best from 
both a security and practicality perspec¬ 
tive. Obviously it'd be more secure to sim¬ 
ply ban network access on mobile devices, 
but that wouldn't work for most users. "It 
all comes down to trade-offs like that and 
understanding what the worst-case sce¬ 
nario is when a device gets stolen, whether 
users will accept entering passcodes to get 
to email, etc," said Allen. 

2. Who is going to have the devices? 
Once you know the what, you need to 
know the who. Certain employees have 
access to more sensitive information—it 
might make more sense to limit network 
access; put more restrictive policies on the 
device; limit them to secured BlackBerry 
phones; or restrict access to corporate 
data, email, and applications while offsite. 

"For some organizations, limited risk 
management works fine, because there 
aren't terribly sensitive things in their 
email," said Allen. "And then there's some 
departments, such as HR, that just might 
not get email on their personal device.". 

3, What are the potential risks vs, 
potential costs? Ultimately you have to 
balance risk vs. cost. How much could it 
cost your organization if a phone was lost 
or stolen? Contrast that with the cost of 
paying for employees'phones and mobile 
device management. 

Another factor is productivity—will 
restricting access levels hinder productivity 
for highly mobile users? If so, it may be a bad 
idea. But if you work at a financial institution 


where data sensitivity is at its highest, the 
risks may very well outweigh the benefits. 

"Let's say you take a hypothetical 
organization that is going to roll out 5,000 
iPads. They don't want them to end up as 
paperweights because they locked them 
down so much, they aren't useful or com¬ 
pelling to users. You have to understand 
the risk involved in the platform specifi¬ 
cally and what you want users to do with 
it," Allen said. "So you have to ask what 
data will be walking out the door every 
day, and can you live with the risk of that? 
If you can't, are there things you can do 
with your mobile device management 
strategy that can reduce the risk to an 
acceptable level?" 

If you are unsure of how to go about 
making strategic decisions about risk 
management, or even what security 

You need to 
understand how 
the policies work for 
each platform and 
device to determine 
which to support. 

policies are available to you, these would 
be good discussions to have with a con¬ 
sultant or your mobile device provider. 

Other Trends in Mobile Security 

When it comes to security, BlackBerry is 
stalking. There's a growing sentiment that 
Exchange ActiveSync (EAS) offers accept¬ 
able security policies, and since EAS works 
across all the major smartphone platforms, 
it's not really a big deal which devices you 
support. There is some truth to this, but for 
organizations that need the best secu¬ 
rity and policy management on mobile 
devices, BlackBerry is still king. 

"In terms of who is the best at mobile 
security, BlackBerry is definitely the best at 
devising a mobile device platform, the kind 
that's by business, for business. BlackBerry 
Enterprise Server has total control over that 


device, pretty much, from an administra¬ 
tor's perspective." 

"With iOS, you can take a personal 
device and enroll it, but then at any time 
in the future the user can voluntarily say, 

'I don't want to be managed by this MDM 
server.'When they terminate the relation¬ 
ship, they lose all access to corporate email, 
but they're essentially always able to do 
that, even on corporate-owned devices. 
There are pitfalls with all the platforms, so 
it's not a very cohesive thing to manage 
from one platform to the next. With that 
being said, we have realized in most cases 
that iOS does set an acceptable bar for 
security requirements," Allen said. 

The takeaway? You really need to 
understand how the policies work for each 
platform (and even device) to determine 
which to support. 

Applications are the threat of the 
future, "I think in the next year we're going 
to see a lot of awareness for application 
privacy. People install dozens of applications 
and they leak your private data like it's going 
out of style," Allen said. "There's an aware¬ 
ness that many applications do this and to 
use almost any application you have to click 
through and let the application have access 
to your contacts. It's not necessarily mali¬ 
cious behavior, but less than ideal behavior." 

At the end of the day, a level of trust 
and education is necessary to keep your 
organization safe. If there are users you're 
not comfortable with trusting with a device, 
maybe they shouldn't be given a device. 

"Ultimately, you're trusting your users to 
do the right thing, and even with a Black¬ 
Berry, a lot of security comes from policy 
and user awareness that you shouldn't do 
these bad things. Yes you can terminate 
the MDM relationship, but we'll know 
because we can clear your device. And if 
we find out you did this on purpose or it 
keeps happening, we'll take away your toy 
or you'll get more severe HR punishment," 
Allen said. "So this is what Apple calls the 
carrot and stick approach—you get the 
carrot of email access and things like that, 
and they hope the stick of you deleting the 
MDM relationship would be bad enough 
that you won't do it." 

—Brian Reinholz 
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BDNA Works to Address 
IT Product Sprawl 

Many (if not all) businesses and enterprises have a problem 
with data sprawl on their corporate networks. There are 
literally millions of outdated documents, installed programs, 
unused applications, photos, PDFs, and other files clogging 
up storage space across the network. Disk-based storage 
has become so inexpensive that it's often easier to buy more 
storage than go through spring cleaning. 

There's a darker side to this chaotic sprawl of outdated, 
unmonitored, and neglected programs in a business set¬ 
ting. How do you know how many applications you have 
for licensing purposes? And how many of those applica¬ 
tions are missing required patches, or are afflicted with a 
security vulnerability? Solving just that sort of problem 
has become the mission of BDNA, a business that helps 
companies overcome file and application sprawl. 

I recently spoke with BDNA's Chief Technology Officer 
Walker White, who explained that BDNA's first product was 
BDNATechnopedia, an exhaustive catalog of hardware and 
software. Technopedia compiled everything about a product: 
the name of the company that produced it, the latest ver¬ 
sion number, all variants of the product name, when it first 
shipped, vendor support policies, and a myriad of other 
information points. Walker says that BDNATechnopedia has 
information on more than 90,000 products and 10 million 
data points. 

While BDNATechnopedia is useful as an information 
source, it becomes much more powerful when combined 
with a discovery tool that can help IT managers find, identify, 
and categorize all of their IT assets. BDNA Discover is just that 
sort of product, and it can quickly (via an agentless software 
approach) comb the far reaches of the company IT infrastruc¬ 
ture, detect what hardware and software is available, normal¬ 
ize the data, and provide that information to the IT manager. 
This type of information can be invaluable to determine how 
many PCs are running across the enterprise, what OSs they're 
running, what their hardware specs are, etc. 

While BDNA Discover had some success as a standalone 
product. White says that BDNA eventually realized the 
benefit of working with existing discovery and management 
platforms such as Microsoft's System Center product family. 
BDNA Normalize was born, a product offering that relies on 
Configuration Manager to do the data collection work, but 
then integrates those results with BDNATechnopedia to pro¬ 
vide an accurate report of what IT resources are available. As 
an example, Oracle used BDNA Discover to consolidate those 
additional and unneeded servers into larger datacenters in 
Austin or Salt Lake City, saving them a small fortune in power 
and management costs. 

For information on BDNA Discover and BDNA Normalize, 
visit www.bdna.com. ^ 
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http://eledrning.left-brain.com 


Join industry experts for informative eLearning courses. 

Each course includes in-depth sessions as well as live Q&A. 

Our eLearning Series provides you with in-depth training 
on a variety of topics ranging from: 

□ Upgrading to SharePoint 2010 

□ Identity Management 

□ SQL Server for Non DBAs 

□ The Science of Great UI 

□ Administering SharePoint with Windows PowerShell 

□ And Much More! 

Don't miss this opportunity for the training you need from the 
comfort of your own computer. 


Check out the eLearning Series offerings today! 

http://elearningJeft-brain.com 
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Ctrl+Alt+Del 

by Jason Bovberg 




PRODUCT OF THE MONTH 


Zombies are hot! Even so, we were taken aback by the wording 
of a press release in our Inbox recently: NEWS FLASH: Zombies 
Are Up 70 Percent, says Commtouch. Far from announcing the 
onset of a zombie apocalypse, however, Commtouch is applying 
the term to malware, which—when you think about it—can take 
on the characteristics of a zombie outbreak. According to the 


company, Commtouch's Zero-Hour Virus Outbreak Protection and 
Command Antivirus protect customers from the recent 400 per¬ 
cent jump in email-borne malware. And with its Threat Protection 
Modules and "long track record of early interception of malicious 
outbreaks," Commtouch gets our vote for the company most pre¬ 
pared for the inevitable zombie Armageddon. 


GFI MailEssentials Configuration 




A 


If GFI MailEssentials is not installed on a perimeter (gateway) server then the 'Perimeter SMTP Servers' option in the Anti-Spam node 
properties has to be configured for the Botnet/Zombie Check to function correctly. 


Figure 1: Zombie checks are essential 


He's Dead, Jim! 


Something caused this webpage to be killed, either because the operating system ran out of memory, or for some other 
reason. To continue, press Reload or go to another page. 


Figure 2: Blue screen of death 


IT PRO OF THE YEAR! 


To celebrate Systems Administrator Appreciation Day—which 
falls on July 29,2011, this year—Windows IT Pro is sponsoring 
a contest for readers to submit (and vote on) the best IT pro of 
the year. The winner will be announced on July 29.We're look¬ 
ing for your most creative, ingenuous IT success stories. If you 
or someone you know has applied a particularly interesting 
solution to an IT problem, be sure to nominate it! IT pros sub¬ 
mit up to a 500-word essay describing why they (or the person 


they're nominating) should be considered IT Pro of the Year. 
An online form to process submissions is available at avww 
.windowsitpro.com/awards/systems-administrator-of-the- 
year, and will remain open for submissions until Wednesday, 
June 30. We'll review the applications and select 10 finalists. 
These finalists will be posted online on Friday, July 8, and 
site visitors cans then vote on which systems administrator 
should be selected as Systems Administrator of the Year. 
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